Skillv1.0.0

ClawScan security

Ai Video Generator Free Bangla · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 4:27 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud video-generation integration: it needs a NEMO_TOKEN (or can obtain an anonymous token) and issues API calls to a single external service to upload media, manage sessions, and render videos.
Guidance: This skill will contact a third-party service (mega-api-prod.nemovideo.ai) and needs a NEMO_TOKEN (or it will create a short-lived anonymous token) to upload your media and perform rendering. Before installing, consider: (1) Do you trust the remote service and its privacy policy? Your uploaded video/script files (up to 500MB) and generated tokens will be sent to that server. (2) Confirm whether the agent will be allowed to read any local config directory (~/.config/nemovideo/) — the SKILL.md mentions it in frontmatter but the instructions don't require it. (3) Prefer providing only an application-limited or ephemeral token rather than any broad credentials. If you have sensitive content, avoid uploading it until you verify the service and understand retention and sharing policies.

Review Dimensions

Purpose & Capability: okThe skill claims to create Bangla videos and the instructions describe API calls for session creation, upload, SSE-based editing, and export. Requiring a single service token (NEMO_TOKEN) is consistent with that purpose. No unrelated credentials or binaries are requested.
Instruction Scope: noteInstructions stay within the service integration: obtain/use NEMO_TOKEN, create a session, upload files (up to 500MB), run SSE and export workflows. The skill tells the agent to save session_id but does not specify persistent storage location (likely ephemeral runtime state). Also the frontmatter mentions a config path (~/.config/nemovideo/) even though the registry metadata listed no required config paths and the instructions do not actually read that path — this inconsistency is worth noting but not itself malicious.
Install Mechanism: okThis is an instruction-only skill with no install spec and no bundled code. That minimises local install risk (no downloads or extracted archives). Runtime network calls are the primary external action.
Credentials: noteOnly NEMO_TOKEN is required (declared as primaryEnv), which is proportionate for an API-backed video service. The frontmatter's mention of a local config path could imply access to user config files, but the runtime instructions do not actually require reading files from that path. Confirm whether the agent will be allowed to read that config directory before installing.
Persistence & Privilege: okalways:false and no instruction to modify other skills or global agent settings. The skill instructs generating or using an anonymous token and saving a session_id for the session, which is normal for an API client; it does not request permanent 'always' presence or elevated privileges.