Back to skill
Skillv1.0.0
ClawScan security
Photo Video Maker Facebook · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 11, 2026, 12:33 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are consistent with a cloud video-rendering service: it needs one service token (NEMO_TOKEN), talks only to the nemovideo API, and has no installable code — but you should note a small metadata mismatch and consider how tokens/sessions are stored.
- Guidance
- This skill appears to do what it says: it talks to a nemovideo cloud API and needs one bearer token. Before installing: 1) note the source/homepage is missing — verify the service if you care about provenance; 2) prefer supplying your own NEMO_TOKEN rather than letting the skill create and store an anonymous token; 3) ask/verify where the agent will persist the token/session_id (the SKILL.md hints at ~/.config/nemovideo/); and 4) if you do not want the agent to use stored tokens autonomously, avoid enabling persistent/autonomous use or remove the token when finished.
Review Dimensions
- Purpose & Capability
- noteThe skill is a cloud photo→video service and only requests one service credential (NEMO_TOKEN) and uses endpoints under mega-api-prod.nemovideo.ai, which is coherent with the described purpose. Minor inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this suggests the skill expects to read or write a local config directory but the registry declaration didn't reflect that.
- Instruction Scope
- noteThe SKILL.md instructs the agent to check NEMO_TOKEN, or obtain an anonymous token from the nemovideo API, create and store a session_id, upload files, and poll render endpoints. These actions stay within the stated domain (render service). The noteworthy scope item is that the skill asks the agent to persist tokens/session IDs (and frontmatter hints at a config path), which may lead to local storage of credentials/session state — the instructions do not detail where or how long to persist them.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code to download. That is the lowest-risk install mechanism and consistent with the provided SKILL.md.
- Credentials
- noteOnly one environment variable (NEMO_TOKEN) is declared and is appropriate for an API-backed video service. The skill also implements anonymous-token generation if NEMO_TOKEN is missing; that behavior is reasonable but means the agent will receive and be asked to store a bearer token it obtained itself. If you prefer control, supply your own NEMO_TOKEN rather than letting the skill create one.
- Persistence & Privilege
- noteThe skill does not request always:true and does not modify other skills. However it explicitly instructs storing a session_id and potentially the anonymous token for subsequent requests; consider whether you are comfortable with the agent persisting those credentials/session identifiers and where they will be stored (frontmatter references a config path). Autonomous invocation remains enabled (default), so stored credentials could be used by the agent without asking if you grant that permission.