Skillv1.0.0

ClawScan security

Pika Ai Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 4:34 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-based video-generation integration; it only requests a single service token and describes API calls needed to upload files and request renders.
Guidance: This skill appears coherent: it uploads your media to a third‑party rendering service and needs one service token (NEMO_TOKEN) or will obtain an anonymous token for you. Before installing, consider: 1) Privacy: any files you send (images, audio, video) will be uploaded to mega-api-prod.nemovideo.ai — do not send sensitive or proprietary content unless you trust that service and have reviewed its terms/privacy. 2) Token handling: the skill will store and use a bearer token (session IDs and tokens); it instructs not to print tokens, but the platform will hold them. 3) Local paths/headers: the skill may inspect install/config paths to set an attribution header — this can expose minimal platform information. If you’re comfortable with those trade-offs and trust the service endpoint, the skill is internally consistent. If you need stronger assurance, ask the author for a privacy/retention policy and the exact behavior for stored tokens and uploaded media.

Review Dimensions

Purpose & Capability: okName/description (generate videos from images/text) align with the declared requirement (NEMO_TOKEN) and the SKILL.md, which documents upload, SSE chat, export and render APIs for a video-rendering backend.
Instruction Scope: okSKILL.md limits actions to connecting to mega-api-prod.nemovideo.ai, creating an anonymous token if needed, creating sessions, uploading media, reading SSE, and polling export status. It does not instruct reading unrelated system files or other credentials. Minor note: it references detecting an install path to set an attribution header, which requires inspecting the environment/install path but is coherent with attribution behavior.
Install Mechanism: okNo install spec or code files are present (instruction-only), so nothing is downloaded or written to disk by an installer. This is the lowest-risk installation model.
Credentials: noteOnly one env var is required (NEMO_TOKEN / primary credential), appropriate for a third‑party API. The frontmatter also lists a config path (~/.config/nemovideo/) and the instructions mention detecting install paths for header attribution — these are plausible for this integration but you should expect the skill to read/write session tokens and possibly config under that path.
Persistence & Privilege: okalways is false and autonomous invocation is the platform default. The skill requests no elevated platform-wide privileges and does not modify other skills or system-wide settings in its instructions.