Skillv1.0.0

ClawScan security

Free Video Generator Chinese Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 4:10 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud video-generation integration that uses a single service token and remote APIs; nothing requested appears unrelated to its stated purpose.
Guidance: This skill appears to be what it says: a cloud video-generator that uses a single API token (NEMO_TOKEN) and sends uploads to mega-api-prod.nemovideo.ai. Before installing, consider: (1) data privacy — media you upload will be sent to that external service, so avoid uploading sensitive content; (2) tokens — provide a dedicated or limited token if possible (or allow the skill to obtain an anonymous token if you prefer ephemeral access); (3) filesystem probing — the skill may check install paths or a ~/.config/nemovideo/ directory for attribution metadata (not arbitrary files), so if you have sensitive files there be cautious; (4) provenance — the skill has no homepage or source listed, so if you care about vendor trust, ask for more details or prefer a skill with verifiable authorship. If you accept those trade-offs, the skill's behavior is internally consistent.

Review Dimensions

Purpose & Capability: okName and description match the actions described in SKILL.md: creating/uploading media, queuing cloud renders, and downloading outputs. The single required env var (NEMO_TOKEN) and the listed API endpoints align with a video-rendering backend.
Instruction Scope: noteRuntime instructions confine activities to communicating with mega-api-prod.nemovideo.ai (auth, session, upload, SSE, render polling) and handling user uploads. They also ask the agent to read the skill's YAML frontmatter and to detect an install path (to set X-Skill-Platform) and reference a config path (~/.config/nemovideo/). Reading the skill's frontmatter is reasonable; probing install paths or config directories is minor scope creep — it reads local paths for attribution but could expose filesystem layout. This is noteworthy but plausible for header attribution.
Install Mechanism: okInstruction-only skill: no installers, no downloaded archives, and no code files to execute on install. This is the lowest-risk install model.
Credentials: okOnly one credential is required (NEMO_TOKEN) which is appropriate for an API-backed video service. The SKILL.md documents how an anonymous token can be acquired if not provided. The declared config path (~/.config/nemovideo/) is related to the service and is plausible, though it implies potential local config access.
Persistence & Privilege: okThe skill is not always-on and is user-invocable; it does not request system-wide persistence or elevated privileges. It asks to store a session_id for ongoing requests (normal ephemeral session behavior).