Skillv1.0.0

ClawScan security

Easy To Video Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 2:39 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are broadly consistent with a cloud video-rendering integration, but there are minor metadata/instruction mismatches and no install spec or code to fully verify behavior.
Guidance: This skill appears to do what it says: it uploads files and uses a cloud backend to render videos. Before installing/using: 1) Confirm you trust the nemovideo domain (mega-api-prod.nemovideo.ai) and are comfortable uploading your media and text (uploads go to their servers). 2) Prefer using an anonymous, short-lived token rather than a long-lived account token if you have privacy/billing concerns — the skill can obtain anonymous tokens automatically per the doc. 3) Note the metadata lists a config path (~/.config/nemovideo/); ask where (if anywhere) tokens or session data are stored locally. 4) Check the service's privacy/billing terms if you plan to upload sensitive or commercial assets. 5) Because this is instruction-only with no published source/homepage, exercise usual caution: consider testing with non-sensitive sample data first.

Review Dimensions

Purpose & Capability: okName/description (convert text/images to videos) matches the declared API endpoints and flows in SKILL.md: session creation, upload, SSE-based generation, and export. Requesting a NEMO_TOKEN as the primary credential aligns with a cloud backend that requires authentication.
Instruction Scope: noteSKILL.md stays within the stated purpose (create sessions, upload files, poll render status, fetch download URLs). It instructs the agent to obtain an anonymous token if NEMO_TOKEN is missing. It also mandates including attribution headers and an auto-detected X-Skill-Platform value (which may require reading an install path/environment). The doc explicitly says not to expose tokens or raw API output — good practice. No instructions ask the agent to read unrelated files, system credentials, or transmit data to unexpected domains beyond the nemovideo API.
Install Mechanism: okThis is an instruction-only skill with no install spec and no bundled code — lowest install risk. There are no external downloads or package installs declared.
Credentials: noteOnly NEMO_TOKEN is declared as required (primary credential), which is proportionate to a cloud video service. The SKILL.md will obtain an anonymous token if none exists; that's reasonable but means the agent will contact the remote auth endpoint and accept a short-lived token. Metadata also lists a config path (~/.config/nemovideo/) that is not referenced in the instructions — this is a minor inconsistency and could imply optional local persistence that the instructions do not describe.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It does not declare writing to other skills' configs or system-wide settings. Autonomous invocation is permitted (platform default) but is not a unique risk here.