Skillv1.0.0

ClawScan security

Free Video Generation Automatic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 20, 2026, 4:17 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are internally consistent with a cloud video-generation integration: it needs a single service token, talks only to a single external API, and has no installable code — but it will perform network calls and persist session/token state, so review data-privacy implications before using.
Guidance: This skill appears to do what it claims: it will make network requests to mega-api-prod.nemovideo.ai, upload your files, and store a short-lived anonymous token/session state so renders can be produced. Before installing, consider: 1) privacy: uploaded media may be retained by the service—check the provider's retention and deletion policy; 2) visibility: the skill's instructions tell the agent not to show raw API responses or token values, so errors and token exchanges may be hidden from you; 3) persistence: the skill may write state under ~/.config/nemovideo/ (or similar) to keep tokens/sessions—confirm where and how long tokens are stored; 4) network egress: the skill will perform outbound HTTPS requests and may auto-obtain a token on first use; if you need strict control over outbound traffic, do not enable it or provide an explicit NEMO_TOKEN instead of allowing anonymous creation; and 5) billing/limits: anonymous tokens are described as limited (free credits, 7-day expiry) and some errors require registration/upgrading. If you want higher assurance, ask the publisher for a privacy/data-retention statement and for explicit details on where tokens and session data are persisted.

Review Dimensions

Purpose & Capability: okName/description (auto-generating MP4s on cloud GPUs) match the declared requirement for a single service token (NEMO_TOKEN) and a service-specific config path (~/.config/nemovideo/). There are no extraneous environment variables or unrelated binaries requested.
Instruction Scope: noteSKILL.md instructs the agent to obtain/refresh an anonymous token, create sessions, upload files, stream SSE results, poll render status, and store session_id and token for subsequent calls. Those actions are expected for a cloud rendering service. The doc also instructs the agent to hide raw API responses and token values from the user — a plausible UX/information-hiding guideline but worth noting because it reduces visible transparency during setup and error handling.
Install Mechanism: okInstruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. This minimizes installation risk; runtime network calls are the primary surface.
Credentials: noteOnly one credential (NEMO_TOKEN) is required and is directly relevant to the stated purpose. The metadata also lists a service-specific config path (~/.config/nemovideo/), which is reasonable for persisting tokens/sessions but does imply the skill may read/write files under the user's home directory for state persistence.
Persistence & Privilege: okSkill is user-invocable and not forced-always; it requests to store a session_id and to persist/use a NEMO_TOKEN but does not request elevated system privileges or to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other high-risk requests.