Skillv1.0.0

ClawScan security

Video Game Maker Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 4:31 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with its stated purpose (remote video rendering) and only require a single service token; there are no surprising credentials or install steps — but it will upload your assets to an external API you should trust.
Guidance: This skill appears to do what it says: it uploads your images/audio to a remote rendering API (mega-api-prod.nemovideo.ai) and returns a rendered video. Before installing: (1) confirm you trust the external service and domain — your assets and metadata will be transmitted and stored there; (2) understand NEMO_TOKEN is a Bearer credential giving access to your account on that service (use a limited-scope or anonymous token if possible); (3) the skill will read its own SKILL.md and detect its install path to set attribution headers — benign but note it inspects its runtime environment; (4) avoid uploading sensitive PII or proprietary assets unless you accept external hosting. If you need stronger guarantees, request the vendor’s privacy/security docs or run the skill in a sandboxed environment.

Review Dimensions

Purpose & Capability: okName/description (create game videos from assets) match the runtime instructions: all API endpoints, upload, SSE-based editing, session and export flows target a remote rendering service. The single required env var (NEMO_TOKEN) is appropriate for authenticating to that service.
Instruction Scope: noteInstructions direct the agent to create or reuse a NEMO_TOKEN, open a session, upload user-provided assets, stream SSE messages, and poll for render status — all inline with a cloud-render workflow. The SKILL.md also instructs the agent to read the skill's YAML frontmatter and detect install path to populate attribution headers; this means the agent will read its own skill file and may inspect its install location. There are no instructions to read unrelated system files or other environment variables. Users should understand that their image/audio assets and session metadata will be transmitted to the external API host (mega-api-prod.nemovideo.ai).
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written by the skill itself. That minimizes installation risk.
Credentials: okOnly NEMO_TOKEN is required and declared as the primary credential. That is proportionate for a service that requires authenticated uploads and exports. The skill also supports generating an anonymous token via the service's anonymous-token endpoint if no token is provided (100 credits, 7-day expiry).
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide settings. It will create session state on the remote service (session_id, render jobs) but does not demand elevated platform privileges.