Back to skill
Skillv1.0.0
ClawScan security
Youtube Video Generator Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 12, 2026, 8:19 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requested access and runtime instructions align with its stated purpose (calling a video-rendering API using a single service token); nothing in the package suggests it is doing unexpected or unrelated work, though a few minor inconsistencies merit attention.
- Guidance
- This skill appears to do what it says: it sends your text/images to a third‑party render API and returns a downloadable video. Before installing, verify you trust the service at https://mega-api-prod.nemovideo.ai and be aware that any media or text you submit will be transmitted to that domain. If you don't have a NEMO_TOKEN the skill will obtain an anonymous token for you (which also means the service will receive a generated client ID). Ask the publisher for a homepage or privacy policy if you need guarantees about data retention. If you handle sensitive media, run the skill in an isolated environment and avoid supplying credentials or secrets unrelated to NEMO_TOKEN. Finally, clarify why the skill metadata lists ~/.config/nemovideo/ (if you are concerned, deny file access to that path or inspect its contents first).
Review Dimensions
- Purpose & Capability
- okName/description describe cloud video generation and the SKILL.md only instructs calls to a single external video-rendering API and upload endpoints. Requiring a single service token (NEMO_TOKEN) is proportionate to that purpose.
- Instruction Scope
- noteInstructions direct the agent to upload user-supplied media, create sessions, stream SSE chat, poll export endpoints, and re-authenticate anonymously if no token is present — all consistent with a cloud render pipeline. It does make live network calls to https://mega-api-prod.nemovideo.ai and will transmit user media/content to that service; the skill does not instruct reading unrelated local files or other env vars. Note: the frontmatter lists a config path (~/.config/nemovideo/) but the runtime instructions do not explain reading that path.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. That minimizes local write/execute risk.
- Credentials
- noteOnly NEMO_TOKEN is required and is the primary credential used for API calls, which is appropriate. Minor inconsistency: metadata declares a config path (~/.config/nemovideo/) even though SKILL.md never instructs reading it. If the platform grants the skill access to declared configPaths, consider whether that file may contain other secrets.
- Persistence & Privilege
- okalways:false and no special persistence or system-wide configuration changes are requested. The skill can be invoked autonomously (default) but that is normal for skills and not an elevated privilege here.