Skillv1.0.0

ClawScan security

Wan Ai Leading Ai Video Generation Model · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 10, 2026, 9:39 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud video-generation integration: it needs a single service token, talks to nemovideo.ai endpoints, and uploads user files for rendering.
Guidance: This skill appears coherent for a cloud-based video-generation service, but consider these practical points before installing: (1) The skill will make network calls automatically on first use and may obtain an anonymous token if you don't provide NEMO_TOKEN—if you prefer to control credentials, set NEMO_TOKEN yourself rather than relying on anonymous issuance. (2) It will upload files you give it; avoid sending private or sensitive files. (3) The skill will store session IDs/tokens for ongoing calls but doesn't specify secure storage—treat those tokens as sensitive. (4) Confirm you trust the endpoint (mega-api-prod.nemovideo.ai) and the service's privacy policies before using. If you want tighter control, provide your own NEMO_TOKEN and avoid opening the skill until ready to upload content.

Review Dimensions

Purpose & Capability: okName/description, required env var (NEMO_TOKEN), and the API endpoints referenced all align with a cloud video-generation service. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope: noteRuntime instructions are focused on authenticating, creating a session, streaming SSE messages, uploading files, polling render status, and returning download URLs—all expected for this purpose. Two items to note: (1) the skill instructs the agent to connect automatically the first time the skill is opened (it will call remote APIs without an extra explicit prompt), and (2) it says to store the returned session_id (and will obtain an anonymous token if NEMO_TOKEN is not present) but does not specify secure storage rules. The skill will access local files only when uploading them (multipart file path or URL) which is necessary for the feature.
Install Mechanism: okNo install spec and no code files are present (instruction-only). This is the lowest-risk model from an install perspective — nothing is downloaded or written by an installer step.
Credentials: okOnly one environment variable is required (NEMO_TOKEN) and it is the expected credential for the described API. The metadata also references a config path (~/.config/nemovideo/) and uses install-path detection for an attribution header; these are plausible for this service. Tokens and session IDs are sensitive and the instructions' use of them is proportional to the service.
Persistence & Privilege: noteThe skill asks the agent to store session_id and to use/obtain a token if none is present. always:false and no other elevated privileges are requested. Storing tokens/session IDs is normal for a remote-service integration, but the SKILL.md is vague about where/how to store them securely.