Skillv1.0.0

ClawScan security

Free Video Image Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 22, 2026, 9:17 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-hosted image→video generation tool; it only needs a single service token and makes API calls to the declared backend.
Guidance: This skill will send your prompts and any uploaded files to https://mega-api-prod.nemovideo.ai and will either use a provided NEMO_TOKEN or request an anonymous token from that service. Before installing or providing credentials: 1) ensure you trust that backend (privacy, retention, and who can access uploaded media); 2) avoid providing highly privileged or production tokens—use a scoped or disposable token if possible; 3) note the metadata mentions ~/.config/nemovideo/ even though the instructions don't use it—be cautious if the agent asks to read local config files; and 4) because this is instruction-only, the agent will perform network calls at runtime (no local binaries are installed).
Findings: [no_findings] expected: No code files were present so the regex scanner had nothing to analyze. The security surface is the SKILL.md instructions and declared metadata.

Purpose & Capability: okThe skill's name/description (video generation) matches the declared primary credential (NEMO_TOKEN) and the documented API endpoints at mega-api-prod.nemovideo.ai. No unrelated credentials or binaries are requested.
Instruction Scope: okSKILL.md instructs only service-related actions: create/use a session, upload files, stream SSE, poll export status. It does require network calls to the stated backend and will upload user-provided files and prompts there, which is expected for this purpose. It does not instruct reading arbitrary system files or unrelated environment variables.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files—no packages are downloaded or written to disk by the skill itself.
Credentials: noteOnly one env var is required (NEMO_TOKEN), which is proportionate. The metadata also lists a config path (~/.config/nemovideo/) even though SKILL.md does not reference reading it — this is a minor inconsistency (metadata claims possible config use). The skill also documents obtaining an anonymous token from the backend if no NEMO_TOKEN is present; that behavior is coherent but means the agent will reach out to the external service to get a temporary credential.
Persistence & Privilege: okThe skill is not always-included, does not request elevated or cross-skill config changes, and has no install-time persistence.