Skillv1.0.0

ClawScan security

Ai Generator Video Maker Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 9:52 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud video-generation integration; it asks only for a single service token and describes API calls that match its stated purpose, but a few small metadata/instruction inconsistencies and the unknown source mean you should review before trusting credentials or private content.
Guidance: This skill appears to do what it says: use a NEMO_TOKEN (or get an anonymous token it can request) and call nemo-video APIs to upload files and generate/download videos. Before installing, consider: (1) the skill will send any media you upload to an external API (mega-api-prod.nemovideo.ai) — don't upload private/sensitive files unless you trust that service; (2) treat NEMO_TOKEN like any secret API key — only provide an account token you are comfortable sharing with this integration; (3) the SKILL.md mentions auto-detecting an install path and includes a config path in frontmatter — ask the publisher to confirm whether the skill will read local agent/install paths or the ~/.config/nemovideo/ directory; (4) the skill has no published homepage or known source — prefer skills from identifiable authors or with a documented privacy/support policy. If you need higher assurance, request the publisher/source code or test with an anonymous/free token and non-sensitive media first.

Review Dimensions

Purpose & Capability: okName/description (AI video generation) align with the runtime instructions: calls to a nemo-video backend, upload endpoints, render/export endpoints, credits/status endpoints, and an expected NEMO_TOKEN credential are all coherent with video-generation functionality.
Instruction Scope: noteSKILL.md instructs only on connecting to the nemo API, creating sessions, uploading files, streaming SSE for generation, polling exports, and handling error codes. It does not instruct reading arbitrary local files or unrelated env vars. Two small items to note: (1) the instructions say to auto-detect an install path to set X-Skill-Platform, which may imply reading agent/install context; (2) the frontmatter references a config path (~/.config/nemovideo/) not mentioned elsewhere, which could imply optional usage of local config though the main flow uses tokens and anonymous auth.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk install model.
Credentials: okOnly a single credential (NEMO_TOKEN) is required and is justified by the API Authorization header described in SKILL.md. The skill also describes obtaining an anonymous token if none is present (generating a UUID and POSTing to an API) — this behavior is reasonable for an unauthenticated fallback. The frontmatter's configPaths entry is a minor mismatch with registry metadata and should be clarified, but it is not a disproportionate credential request.
Persistence & Privilege: okalways is false and the skill is not requesting persistent/system-level privileges. It does not request to modify other skills or global agent settings.