Skillv1.0.0

ClawScan security

Vivideo Ai Video Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 20, 2026, 6:12 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are broadly consistent with a cloud video-generation integration, but there are small metadata inconsistencies and privacy considerations you should review before use.
Guidance: This skill appears to do what it says: it will call a third‑party Nemovideo API, upload media you supply, and return rendered video URLs. Before installing: (1) confirm you trust the domain (mega-api-prod.nemovideo.ai) and read its privacy/terms if you intend to upload sensitive media; (2) decide whether to set your own NEMO_TOKEN (explicit credential) or allow the skill to auto-request an anonymous token — auto-generation provides temporary credentials but still sends your uploads to a third party; (3) ask the maintainer to clarify the metadata mismatch about ~/.config/nemovideo/ (will session/token be written to disk?), and whether the agent will probe its install path to set X-Skill-Platform headers; (4) avoid uploading files you would not want sent to an external service. If any of these items are unclear or unacceptable, do not install or seek a version with explicit, documented storage and privacy behavior.

Purpose & Capability: okThe skill name and description claim cloud video generation and the SKILL.md instructs the agent to call a Nemovideo API, upload media, create sessions, and export renders — these requirements align with the stated purpose (NEMO_TOKEN as the API credential is appropriate).
Instruction Scope: noteInstructions are mostly scoped to the Nemovideo backend: check NEMO_TOKEN, obtain an anonymous token if absent, create a session, upload files, send SSE, poll status, and download results. Expected user-file access is required for uploads. Note: the skill asks to auto-detect an install path/platform to set an X-Skill-Platform header — that may require probing the agent environment and is not fully specified.
Install Mechanism: okNo install spec or external downloads — instruction-only skill (lowest install risk). No code files were present for static analysis.
Credentials: noteOnly one credential (NEMO_TOKEN) is required and that matches the remote API usage. However, SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch should be clarified (could imply storing session/token on disk).
Persistence & Privilege: okalways:false and normal autonomous invocation. The skill directs storing a session_id for subsequent requests but does not request system-wide privilege changes or access to other skills' configs.