Skillv1.0.0

ClawScan security

Contents Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 7:21 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill’s requested token, API calls, and upload instructions are consistent with a cloud video-generation service; nothing requested is disproportionate to that purpose, but the skill will create/use a service token and upload your media to an external backend so you should be aware of privacy implications.
Guidance: This skill is coherent for cloud-based video generation: it will upload files you instruct it to and will obtain/use a short-lived service token if one isn’t provided. Before installing, consider: (1) Do you consent to uploading your footage and prompts to https://mega-api-prod.nemovideo.ai? (2) If you prefer control, set NEMO_TOKEN yourself rather than letting the skill auto-create an anonymous token. (3) Avoid uploading sensitive/confidential content without reviewing the service’s privacy/retention policy. (4) Expect session state to be stored for ongoing jobs (the skill references ~/.config/nemovideo/); verify where the agent persists that data if that matters to you.

Review Dimensions

Purpose & Capability: okName/description (video generation from prompts/footage) align with the declared requirement for a single service token (NEMO_TOKEN) and the documented API endpoints for uploads, SSE, and rendering. The declared config path (~/.config/nemovideo/) is plausible as a place to store session state/config for this service.
Instruction Scope: noteSKILL.md instructs the agent to: auto-obtain an anonymous token if NEMO_TOKEN is not set, create and persist a session_id, and upload local files (multipart -F "files=@/path") or URLs to the external API. These actions are consistent with the stated function, but they imply the agent will read user-specified files and transmit them to mega-api-prod.nemovideo.ai and will create short-lived credentials without an explicit interactive consent step beyond the first-time message.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing will be written to disk by an installer. Lowest installer risk.
Credentials: okOnly one credential is required (NEMO_TOKEN / primaryEnv). That is proportional to a service that requires authenticated API access. The skill documents a procedure to obtain an anonymous token (100 free credits, 7 days) which fits the service flow. No unrelated secrets or broad system credentials are requested.
Persistence & Privilege: notealways:false and autonomous invocation is default. The skill requires keeping a session_id for subsequent requests and lists a config path; it may persist session state locally (or in memory) but does not request elevated system privileges or modify other skills. Be aware session state and uploaded files may be stored by the external service.