Back to skill
Skillv1.0.0
ClawScan security
Text To Video Invideo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 15, 2026, 6:24 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (convert text to video) largely matches its runtime instructions, but there are inconsistencies (missing homepage/source, conflicting metadata about config paths) and it asks to use/store an API token and upload files to an external API — so verify the service and metadata before installing.
- Guidance
- This skill appears to do what it says (call a remote video-render API and upload user-provided files) but exercise caution before installing: 1) The source/homepage is missing — verify the service (nemovideo / mega-api-prod.nemovideo.ai) independently before providing tokens or files. 2) The SKILL.md YAML mentions a config path (~/.config/nemovideo/) that is not declared elsewhere — confirm whether the skill will read or write files there. 3) Only set NEMO_TOKEN if you trust the service; prefer ephemeral anonymous tokens and avoid storing long-lived secrets in global env vars. 4) Only upload content you own or that doesn't contain secrets (do not let the agent pick arbitrary local file paths). 5) If you need higher assurance, ask the publisher for a homepage/terms/privacy and a code/artifact link (or request a signed maintainer identity) — that information would move this assessment toward 'benign.'
Review Dimensions
- Purpose & Capability
- noteName/description match the instructions: the skill drives a remote AI video API and requires an API token (NEMO_TOKEN). That credential is proportional to the stated purpose. However the package has no homepage/source and the YAML frontmatter in SKILL.md references a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — an internal inconsistency.
- Instruction Scope
- noteInstructions explicitly perform network calls to https://mega-api-prod.nemovideo.ai, create or reuse NEMO_TOKEN, open sessions, stream SSE, and upload user files (multipart or URL). Those actions are expected for a cloud render service. The only scope concern is the skill's attempt to derive install platform from local install paths and its implicit expectation to read user-supplied file paths for upload — benign for intended uploads, but worth noting because it could be used to exfiltrate arbitrary local files if misused.
- Install Mechanism
- okInstruction-only skill with no install spec or code files — lowest install risk. Nothing is downloaded or written to disk by an installer.
- Credentials
- noteOnly one env var is required (NEMO_TOKEN), which matches the API usage. But SKILL.md suggests auto-generating and storing a token and references a config directory in YAML, creating a mismatch with registry metadata. The skill will also read local file paths when uploading user files — expected, but sensitive if the agent is allowed to choose arbitrary paths.
- Persistence & Privilege
- okalways:false and no install behavior means no forced persistent presence. The skill does instruct saving a session_id for the service, but it does not request platform-wide privileges or modification of other skills.