Skillv1.0.0

ClawScan security

Free To Video Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 11, 2026, 2:20 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions align with its stated purpose of driving a remote NemoVideo rendering API; nothing requested appears disproportionate to converting text/images to videos.
Guidance: This skill appears coherent: it talks to the nemovideo.ai API, authenticates with NEMO_TOKEN (or obtains a short-lived anonymous token), and uploads user media for remote rendering. Before installing, consider: 1) Anything you send (text, images, audio, or video files) will be uploaded to a third-party service — do not upload sensitive or private data. 2) Provide only a Nemo-specific token (NEMO_TOKEN); avoid putting broad cloud credentials in that env var. 3) The frontmatter references ~/.config/nemovideo/ — ask the author whether the skill will read that folder locally (useful for local tokens) or not; grant file access only if you trust the service. 4) Because the skill runs remotely, check NemoVideo's privacy/terms if you care about retention, reuse, or training. If you want extra caution, use the anonymous-token flow or a limited-scope token rather than a long-lived credential.

Purpose & Capability: okName/description match the runtime instructions: all API endpoints, upload, session, SSE, export, and credits flows are for nemovideo.ai. The single required env var (NEMO_TOKEN) is appropriate for authenticating to that service.
Instruction Scope: okSKILL.md only instructs interaction with the nemovideo API (auth, session, upload, render, state, credits, SSE). It does not instruct reading unrelated system files or sending data to other endpoints. It tells the agent not to print tokens/raw JSON.
Install Mechanism: okInstruction-only skill with no install spec or downloaded code — lowest-risk execution surface. No archive downloads or third-party installs are requested.
Credentials: noteOnly NEMO_TOKEN is declared as required and is appropriate. The frontmatter metadata also lists a config path (~/.config/nemovideo/) which could imply the skill may look for local NemoVideo client config; this is plausible but optional — confirm whether the skill will read that directory or rely solely on the env var.
Persistence & Privilege: okSkill is not always-enabled and is user-invocable; it does not request system-wide changes or modify other skills. Autonomous invocation is allowed (platform default) but is not combined with other concerning privileges.