Skillv1.0.0

ClawScan security

Free Generation Image · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 3:11 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested credential and API usage are coherent with an image/video-generation service, but there are small manifest inconsistencies and some ambiguous instructions about detecting install/config paths you should be aware of.
Guidance: This skill appears to do what it says: it will send your NEMO_TOKEN (or obtain an anonymous token) and any uploaded media to mega-api-prod.nemovideo.ai to render images/videos. Before installing or using it: 1) Consider whether you trust that external service with the files and token you provide. Tokens will be transmitted as Bearer auth. 2) Ask the publisher to clarify the manifest mismatch: SKILL.md mentions a config path (~/.config/nemovideo/) and install-path detection for X-Skill-Platform — confirm whether the skill will read those local paths. 3) If you have sensitive images or credentials, avoid uploading them; use an anonymous token for limited testing. 4) Because the skill has no listed homepage or source, prefer skills with a known publisher or inspect any code before granting tokens. If you want higher confidence, request the skill's source or a homepage and verify whether it actually reads local config or installation paths.

Review Dimensions

Purpose & Capability: okThe skill is for generating images/videos and requires a single service token (NEMO_TOKEN), which is appropriate. One inconsistency: the SKILL.md metadata lists a config path (~/.config/nemovideo/) while the registry-level requirements showed no required config paths.
Instruction Scope: noteThe runtime instructions stay inside the stated purpose: authenticate (or obtain an anonymous token), create a session, upload media, stream edits, and request exports from https://mega-api-prod.nemovideo.ai. They do not instruct broad file-system reads or unrelated data collection. However, the doc says X-Skill-Platform is detected from the install path (e.g., ~/.clawhub/) which implies the agent may inspect installation paths; that behavior is ambiguous in the manifest and worth clarifying.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This is the lowest install risk and nothing is written to disk by an installer.
Credentials: noteOnly NEMO_TOKEN is required (with a documented anonymous-token fallback), which matches the service integration. Be aware the token (or anonymous token) and any uploaded files are sent to the external API. The SKILL.md's embedded configPaths (~/.config/nemovideo/) are not listed in the registry requirements, creating a minor mismatch about whether local config will be read.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request system-wide privileges or to modify other skills. Autonomous invocation is allowed by default (normal for skills) but does not combine with other high-risk flags here.