Skillv1.0.0

ClawScan security

Ai Video Generator Free Chat · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 8:13 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (generating videos via an API) and only needs a single service token, but there are small inconsistencies in its metadata and a few instruction details that could lead to unexpected file or token access — you should review those before installing.
Guidance: Before installing: 1) Confirm the NEMO_TOKEN usage — only provide a token you trust; prefer an ephemeral/limited token or anonymous flow for testing. 2) Ask the skill author to clarify the config path discrepancy: SKILL.md mentions ~/.config/nemovideo/ but the registry lists no required config paths — find out whether the skill will read or write that directory. 3) Verify where session tokens and anonymous tokens are stored (memory vs disk) and how long they last; avoid storing long-lived credentials. 4) Be aware: uploading files sends your media to an external service (mega-api-prod.nemovideo.ai). Do not upload sensitive or private content unless you trust that endpoint and its privacy policy. 5) If you’re uncomfortable with the skill inspecting install paths to fill X-Skill-Platform headers (it may reveal local install layout), request a version that omits that behavior. 6) If possible, test with throwaway data and a throwaway token first. These issues look like sloppy metadata/instructioning rather than overtly malicious behavior, but clarify the points above before enabling the skill.

Review Dimensions

Purpose & Capability: noteName and description match the runtime instructions (calls to a nemo video API, upload, render, SSE). Requesting a single service token (NEMO_TOKEN) is coherent for a cloud-rendering video service. However, the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry listing says no required config paths — this mismatch is unexplained.
Instruction Scope: noteInstructions are specific about API endpoints, session flow, SSE, uploads, and token acquisition. They explicitly tell the agent to POST for anonymous tokens and to 'save session_id'. They also direct deriving X-Skill-Platform from the agent install path (e.g., ~/.clawhub/, ~/.cursor/skills/), which implies the agent may need to inspect its filesystem/installation path — this is outside pure 'send requests' behavior and should be confirmed.
Install Mechanism: okNo install spec and no code files (instruction-only) — the skill does not write code to disk or download external artifacts, which is the lowest-risk install mechanism.
Credentials: noteOnly a single credential (NEMO_TOKEN) is declared as required and is appropriate for a third-party video API. But the SKILL.md also references a config path in its metadata and expects generation/storage of anonymous tokens and session IDs; clarify whether the skill will persist tokens/session IDs to disk and whether it actually reads ~/.config/nemovideo/.
Persistence & Privilege: okalways is false and the skill does not request elevated platform-wide privileges. The only potential persistence is saving a session_id or anonymous token (7-day expiry) — the spec does not require permanent always-on presence or changes to other skills.