Skillv1.0.0

ClawScan security

Best Generator Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 8:23 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are largely coherent with a cloud-based video-generation service: it needs a single service token and instructs the agent how to create a session and upload media — there are no unrelated credentials or installers — but verify the remote endpoint and privacy trade-offs before use.
Guidance: This skill appears to do what it says: it will send your prompts and any uploaded media to a third-party video-rendering API (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN (or will request an anonymous token). Before installing or using it: 1) Confirm you trust the destination domain/owner (no homepage or publisher info is provided). 2) Avoid uploading sensitive material — your media and prompts are transmitted to that remote service. 3) If you set NEMO_TOKEN in your environment, ensure it is scoped appropriately; if you let the skill fetch an anonymous token, understand it issues short-lived credentials with limited credits. 4) Be aware of the small metadata mismatch (declared configPaths in SKILL.md vs registry listing) — this is likely harmless but indicates the manifest may not have been fully curated. If any of these points concern you, ask the skill publisher for a homepage/terms/privacy link and confirmation of how uploaded data is stored/retained before proceeding.

Review Dimensions

Purpose & Capability: okName and description match the runtime instructions: the SKILL.md describes a cloud API for generating video, uploading media, checking credits, and exporting — all of which justify a single service token (NEMO_TOKEN). One minor inconsistency: the registry metadata reported 'required config paths: none' while the skill frontmatter metadata includes a config path (~/.config/nemovideo/). This is likely a small metadata mismatch, not a functional contradiction.
Instruction Scope: noteInstructions stay on-task: they look for NEMO_TOKEN, create a session, upload media, use SSE for streaming, and poll render status. The skill will (expectedly) POST user media and prompts to https://mega-api-prod.nemovideo.ai and may obtain an anonymous token if none is present. This exposes user content to a third-party service — intended for the skill's purpose but important privacy/consent context. The SKILL.md explicitly instructs not to leak tokens or raw API output, which is appropriate.
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal install risk (nothing is written to disk by the skill itself).
Credentials: okOnly one credential is requested (NEMO_TOKEN), which is proportionate to a cloud API integration. The SKILL.md also describes obtaining an anonymous token if none is provided — consistent with needing an ephemeral service credential. No unrelated secrets or broad system credentials are requested.
Persistence & Privilege: okNo elevated persistence is requested (always:false). The skill does not ask to install itself, modify other skills, or change system-wide agent settings. It only uses in-session tokens and API calls.