Skillv1.0.0

ClawScan security

Ai Video Generator Free Malayalam · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 2:18 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-based Malayalam video generator; no unrelated credentials or installers are requested, but it will call an external API and attach attribution headers that could leak local install metadata and it stores short-lived tokens/sessions.
Guidance: This skill appears to do what it says: talk to nemo-video cloud endpoints to render Malayalam videos. Before installing, consider: (1) the skill will call https://mega-api-prod.nemovideo.ai and include attribution headers — those headers can leak your local install path/platform info; (2) it will create and store short-lived anonymous tokens if you don't provide a token, so review or clean ~/.config/nemovideo/ if you care about local secrets; (3) only provide a NEMO_TOKEN you trust — prefer a throwaway or limited-scope token if possible; (4) verify the API domain and service legitimacy if you need stronger assurance. If you want to reduce exposure, use anonymous tokens (they expire) or avoid exposing local paths in headers by editing the skill or asking the maintainer to stop including install-path-based headers.

Review Dimensions

Purpose & Capability: okThe skill declares a single credential (NEMO_TOKEN) and describes calling a nemo-video cloud API to create/render videos — this aligns with the stated purpose. The config path (~/.config/nemovideo/) and session/token usage are reasonable for a cloud rendering client.
Instruction Scope: noteInstructions are focused on authenticating, creating a session, uploading media, streaming edits, and starting exports to the listed API endpoints. However the skill requires adding attribution headers (X-Skill-Source, X-Skill-Version, X-Skill-Platform) and instructs the agent to detect the install path to set X-Skill-Platform, which can reveal local install paths or environment details to the remote service. The runtime also instructs generating and storing anonymous tokens/session IDs locally, which is expected but worth noting as stored secrets.
Install Mechanism: okNo install specification or external downloads — this is an instruction-only skill, so nothing is written to disk by an installer. That minimizes code-install risk.
Credentials: noteOnly NEMO_TOKEN is requested as an env var (declared primary credential), which is proportional to calling the nemo API. The skill also references a local config path and will create/refresh anonymous tokens if NEMO_TOKEN is missing; this behavior is consistent with its function but means tokens may be created/stored automatically.
Persistence & Privilege: okalways is false and the skill does not request system-wide privileges or attempt to modify other skills. It will persist session IDs/tokens (normal for a client), but does not demand permanent platform presence.