Back to skill
Skillv1.0.0
ClawScan security
Free Video Generation By Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 13, 2026, 8:34 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a cloud video-generation integration (it only requests a single service token and calls an external API), but there are minor metadata inconsistencies and an expected privacy risk when uploading media to a third-party service.
- Guidance
- This skill appears to do what it says: it connects to a third-party rendering service (mega-api-prod.nemovideo.ai) and uploads prompts and optionally your media to produce videos. Before installing or using it: (1) avoid uploading sensitive or private media — your files and prompts are sent to an external service; (2) if you already have a NEMO_TOKEN, set it in the environment to avoid the skill generating and storing an anonymous token; (3) note the small metadata mismatch (SKILL.md references ~/.config/nemovideo/) — check whether the agent will read or create that local config directory if you care about local artifacts; (4) verify the service domain and privacy/retention policies if you need guarantees about data handling; (5) if you want stronger assurance, request the skill's source or homepage so you can inspect network behavior or privacy statements. If any of these raise concerns, do not install or avoid sending sensitive content through the skill.
- Findings
[no-static-findings_instruction_only] expected: The regex-based scanner had no code files to analyze. This is expected for an instruction-only skill; absence of findings is not evidence of safety — runtime behavior involves network calls to an external API.
Review Dimensions
- Purpose & Capability
- okName/description (AI video generation) align with the declared and runtime requirements: the skill needs a NEMO_TOKEN and talks exclusively to the nemovideo API endpoints to create, render, and export videos. Requesting a service token is proportionate for this purpose.
- Instruction Scope
- noteThe SKILL.md tells the agent to obtain or use a NEMO_TOKEN, create sessions, stream messages (SSE), upload user files (multipart or URL), and poll render status — all required for remote video rendering. This is within scope, but it means user media and prompts are sent to an external service (data-exfil/privacy risk). The instructions also say to 'store the returned session_id' and to avoid displaying raw tokens — acceptable but implementation detail worth knowing. Minor inconsistency: SKILL frontmatter references a config path (~/.config/nemovideo/) whereas the registry metadata listed no required config paths.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. This is the lowest install risk (nothing is downloaded or written by an installer).
- Credentials
- okOnly a single credential (NEMO_TOKEN) is required; that matches the service being used. The skill can also obtain an anonymous token from the same API if NEMO_TOKEN is not set — reasonable and consistent with the stated purpose. No unrelated secrets or multi-service credentials are requested.
- Persistence & Privilege
- okalways:false and normal autonomous invocation are used. The skill asks to store session_id/token for use during the session but does not request elevated system-wide privileges or modify other skills. No permanent 'always' presence is requested.