Back to skill
Skillv1.0.0
ClawScan security
Ai Video Generator Free Bot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 21, 2026, 7:05 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to implement a cloud video-generation service and mostly aligns with that purpose, but small metadata inconsistencies and instructions that read local config/install paths and create/use tokens without a provenance URL merit caution.
- Guidance
- This skill looks like a legitimate cloud video-generation integration, but take these precautions before installing: 1) Confirm the service/domain (mega-api-prod.nemovideo.ai) and ask for an official homepage or source so you can verify the vendor. 2) Be cautious about placing a long-lived NEMO_TOKEN in your environment; prefer an ephemeral or scoped token and understand its lifetime/permissions. 3) The skill may probe ~/.config/nemovideo/ and detect your install path — avoid storing unrelated secrets in those locations and don't upload sensitive images/data. 4) If you need stronger assurance, ask the publisher to clarify why the skill reads install/config paths and to provide a privacy/security statement or source code. If you proceed, monitor what tokens the skill receives and revoke them if you see unexpected activity.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the runtime instructions: the SKILL.md describes a cloud API (mega-api-prod.nemovideo.ai) for generating videos and requires a NEMO_TOKEN for Authorization, which is expected for this purpose. However, the skill's YAML frontmatter declares a required config path (~/.config/nemovideo/) that is not reflected in the registry metadata summary, and the skill inspects install paths (~/.clawhub/, ~/.cursor/skills/) to set an attribution header. Those filesystem checks are tangential to core video generation and are an unexplained extra privilege.
- Instruction Scope
- concernThe SKILL.md explicitly instructs the agent to: read NEMO_TOKEN from the environment; if missing, generate a UUID and POST to an anonymous-token endpoint to obtain a token; keep session_id for operations; read upload file paths or accept URLs and POST multipart uploads. It also instructs probing of local install directories to set X-Skill-Platform. Reading local config/install paths and constructing headers based on filesystem location are outside the minimal needs for submitting user-provided files to a cloud API and broaden the agent's local access. The skill does explicitly say not to expose tokens/raw API output, which mitigates some risk, but the instructions give the agent discretion to access local paths.
- Install Mechanism
- okNo install spec or code files are present; this is instruction-only and does not write code to disk. That lowers install-time risk.
- Credentials
- noteOnly a single credential (NEMO_TOKEN) is declared as required, which is proportionate for a cloud service. However, the SKILL.md will generate an anonymous token if none is present, and the frontmatter also lists a config path (~/.config/nemovideo/) — requesting or probing that path could surface other sensitive files. The registry metadata summary and frontmatter disagree about required config paths, which is an inconsistency worth clarifying.
- Persistence & Privilege
- okThe skill is not 'always: true' and uses the normal autonomous-invocation default. It instructs keeping a session_id for the session lifetime but does not explicitly require persistent installation or modification of other skills. This is within normal bounds for an API-backed skill.