Skillv1.0.0

ClawScan security

Ai Video Generator From Music · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 4:38 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are internally consistent with an online AI video-rendering service: it needs a NEMO_TOKEN, uploads user audio to nemovideo.ai, and controls rendering via that API — nothing requested is disproportionate to the stated purpose.
Guidance: This skill appears to do what it says — it uploads your audio to a cloud service (mega-api-prod.nemovideo.ai) and returns rendered videos. Before installing/using it, consider: 1) Privacy — your audio and any metadata are sent to the provider; confirm their data retention and sharing policies. 2) Token handling — NEMO_TOKEN grants the skill access to the service; if the skill generates an anonymous token, that token may be stored or used for 7 days; ask whether tokens are persisted and where. 3) Local file access — the skill will upload user-supplied files; ensure the agent only sends files you explicitly provide and does not read arbitrary local files. 4) The skill references an agent install path and a config directory (~/.config/nemovideo/) in its frontmatter — ask the author whether the skill will read those paths (the registry shows no required config path). 5) Verify the domain (nemovideo.ai) is the intended service and that you trust it to process your media. If you need higher assurance, request the publisher/source URL, a privacy/data-retention statement, and confirmation about whether any tokens or uploads are stored long-term.

Review Dimensions

Purpose & Capability: okName/description match the actions described in SKILL.md: creating music-synced videos on a cloud backend. Requesting a single service token (NEMO_TOKEN) is appropriate for an API-backed renderer. The skill's documented API endpoints and upload/render flows align with the declared purpose.
Instruction Scope: noteInstructions direct the agent to check the environment for NEMO_TOKEN, optionally request an anonymous token from https://mega-api-prod.nemovideo.ai, create sessions, upload user audio, and poll SSE/render endpoints — all expected for a cloud render workflow. Two points to note: (1) examples reference local file paths for multipart uploads (expected when user supplies files, but the agent must only access user-provided files), and (2) the skill instructs detection of an install path to set an attribution header (X-Skill-Platform) which implies reading or inferring agent install paths — this is not strictly required for rendering and leaks some environment identification information.
Install Mechanism: okInstruction-only skill (no install spec, no code files). No packages or remote downloads are performed by the skill itself, which reduces supply-chain risk.
Credentials: noteOnly one credential is declared and used: NEMO_TOKEN (primary). This is proportionate to a hosted rendering service. The SKILL.md also contains frontmatter metadata that references a config path (~/.config/nemovideo/) and uses an install-path-based header; the registry metadata showed no required config paths — this mismatch should be clarified (does the skill attempt to read that config path or not?).
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request persistent system-wide privileges, nor does it modify other skills' configurations. The skill will perform network calls to the remote API for each operation, which is normal for an API-backed renderer.