Skillv1.0.0

ClawScan security

Text To Video Hd Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 16, 2026, 7:01 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (convert text to HD video) matches the network calls and token usage, but there are inconsistencies in metadata and a few runtime behaviors (auto-creating/storing tokens, probing install paths, and uploading arbitrary local files) that merit caution before installing.
Guidance: This skill appears to do what it says (call a NemoVideo API to render videos) but there are a few things to check before installing: 1) Confirm the external API domain (mega-api-prod.nemovideo.ai) is trustworthy for your use and that you’re comfortable sending text and files there. 2) Be aware the skill will look for NEMO_TOKEN and, if missing, will create an anonymous token by POSTing to the service and may store tokens/session state under ~/.config/nemovideo/ — verify and control that storage location. 3) The skill may read install paths to set X-Skill-Platform and will upload local files you provide; avoid sending sensitive documents or secrets. 4) The registry metadata and the in-file metadata disagree about required config paths — ask the publisher to clarify where data/tokens are stored and to provide a privacy/retention statement. If you need higher assurance, request source code or an official integration reference from the service before granting the skill network or filesystem access.

Review Dimensions

Purpose & Capability: noteThe skill claims to convert text into HD videos and the SKILL.md describes API endpoints, session creation, uploads, credits, and export flows that align with that purpose. Requesting NEMO_TOKEN as the primary credential is reasonable. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this registry vs. runtime metadata mismatch is inconsistent and should be clarified.
Instruction Scope: noteMost runtime instructions stay within the video-generation domain (create session, upload file, stream SSE, poll render). Potentially sensitive actions are described: auto-generating an anonymous token by POSTing to the external API if NEMO_TOKEN is absent, saving and reusing session_id and possibly storing tokens in ~/.config/nemovideo/, and detecting install path to set X-Skill-Platform (which implies reading local filesystem paths). Those are plausible for operation but extend the skill's scope beyond purely stateless API calls and mean the agent will access local filesystem and persist tokens.
Install Mechanism: okThis is instruction-only (no install spec, no code files). That is lower risk from a code-install perspective: nothing is downloaded or written by an installer script in the skill bundle itself. The runtime behavior still causes network calls and may write tokens to disk per the instructions.
Credentials: concernOnly NEMO_TOKEN is declared as required, which fits the described API usage. However, the SKILL.md instructs the agent to create an anonymous token if NEMO_TOKEN is missing and to persist session/token state (metadata indicates ~/.config/nemovideo/). The registry metadata earlier said 'Required config paths: none' whereas the skill frontmatter requests a config path. That inconsistency (the skill planning to read/write a config directory without it being declared in registry metadata) is a proportionality/visibility concern: users should be aware where credentials may be stored.
Persistence & Privilege: notealways:false (no forced presence) and default autonomous invocation are normal. The skill will create sessions and tokens and may persist them to a config path, but it does not request escalated system privileges or claim to modify other skills. Autonomous network access combined with token persistence increases blast radius if misused, so consider that when enabling autonomous invocation.