Skillv1.0.0

ClawScan security

Ai Video Generator Free Ios · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 4:04 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based video-generation tool, but it uploads user media to an external API run by an unverified domain and reads a small set of local metadata/config paths — review privacy and provenance before use.
Guidance: This skill appears to do what it claims: it uploads photos/clips to mega-api-prod.nemovideo.ai for cloud rendering and needs a NEMO_TOKEN (or will request a short-lived anonymous token). Before installing or sending personal images, consider: - Provenance: the skill has no homepage and an unknown source — verify you trust the service/owner before uploading sensitive photos. - Privacy: your media will be sent to an external API (mega-api-prod.nemovideo.ai); check the service's privacy terms if you care about retention/ML training. - Local reads: the skill may read its own frontmatter and detect install/config paths (e.g., ~/.config/nemovideo/) to find tokens — ensure no unrelated secrets are stored there. - Tokens: if you already have a NEMO_TOKEN in your environment, the skill will use it; ensure that token scope is appropriate. If you cannot verify the service or do not want to upload private images, do not install or invoke this skill.

Review Dimensions

Purpose & Capability: okName/description (turn iPhone photos into 1080p videos) match the declared runtime actions: session creation, upload, SSE chat, render/export endpoints and a single service credential (NEMO_TOKEN). Required env var NEMO_TOKEN and the listed API endpoints are proportionate to the stated purpose.
Instruction Scope: noteSKILL.md stays within video-generation scope — it only describes obtaining/using a token, creating a session, uploading media, streaming SSE edits, and exporting renders. The instructions do ask the agent to read the skill's frontmatter/version and detect an install path (~/.clawhub/, ~/.cursor/skills/) and reference a config path (~/.config/nemovideo/) for tokens; these filesystem reads are limited and related to attribution/token usage but are worth noting.
Install Mechanism: okNo install spec or packaged code — instruction-only skill. This minimizes on-disk installation risk; runtime network calls are the main surface area.
Credentials: okOnly a single credential (NEMO_TOKEN) is declared as required/primary, which aligns with the API usage described. The fallback behavior (obtain an anonymous token from the external API) is documented. The declared config path (~/.config/nemovideo/) is consistent with storing a service token but is an additional filesystem access the user should be aware of.
Persistence & Privilege: okalways is false and there's no installation that forces persistent presence. The skill is allowed to run autonomously by default (platform standard), but that is not combined with elevated privileges or broad credential access.