Skillv1.0.0

ClawScan security

Video Generator Ai Youtube · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 17, 2026, 3:44 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what its name says (drive a cloud video-rendering API) but contains inconsistencies and instructions that merit caution—particularly around token creation/storage, an undeclared config path, and automatic network calls to an external rendering backend.
Guidance: This skill appears to be a front end for a cloud video-rendering API and will make network requests to mega-api-prod.nemovideo.ai, upload user files (up to 200MB), and create or reuse tokens/sessions. Before installing: 1) Confirm you trust the nemovideo.ai domain and the skill author (no homepage/source listed). 2) Verify the mismatch about a config path (~/.config/nemovideo/) — ask where tokens/session IDs will be stored and whether any files will be written or read outside the skill's folder. 3) Be aware the skill will auto-create anonymous tokens if NEMO_TOKEN is absent (it will POST to get a token) and will store session IDs; if you do not want the agent to persist credentials or upload private media, do not install. 4) If you proceed, monitor what files the agent accesses and prefer providing your own NEMO_TOKEN rather than allowing anonymous token creation. If you need higher assurance, request the skill source or a homepage and exact details about token storage and logfile behavior.

Review Dimensions

Purpose & Capability: noteThe skill's purpose (generate short YouTube videos via a cloud render API) aligns with requiring a NEMO_TOKEN and calling nemovideo.ai endpoints. However the SKILL.md metadata also references a config path (~/.config/nemovideo/) while the registry top-level metadata lists no required config paths — an internal inconsistency that could indicate the skill expects to read or write files although that requirement wasn't declared.
Instruction Scope: concernInstructions direct the agent to auto-create anonymous tokens (POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token), create and reuse sessions, upload user files (up to 200MB), and include attribution headers that require detecting an install path. The flow is expected for a cloud service, but the agent is told to store session_id and avoid showing raw tokens to users—this implies persistent credential handling. The SKILL.md also implies the agent may read an install path to set X-Skill-Platform, which is not declared in required env/config entries.
Install Mechanism: okInstruction-only skill with no install steps or code files. Nothing is downloaded or written by an installer spec in the registry, which reduces installation risk. Network calls occur at runtime (API endpoints) but no archive downloads or external install URLs are present.
Credentials: noteOnly a single credential (NEMO_TOKEN) is declared, which is proportional to a cloud rendering service. But SKILL.md metadata lists a config path (~/.config/nemovideo/) and the agent is asked to auto-generate and store anonymous tokens and session IDs; it's unclear where those session tokens should be stored and whether the agent will access other parts of the filesystem or environment. That mismatch is worth verifying.
Persistence & Privilege: noteThe skill is not always-enabled and uses normal autonomous invocation. It instructs storing session state and notes that closing a tab can orphan jobs, implying the service expects session persistence. This is not inherently privileged, but you should confirm where tokens/session IDs are stored and whether the skill will persist them across agent restarts.