Skillv1.0.0

ClawScan security

Free Generator Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 3:11 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are internally consistent with a cloud-based video-generation service, but it will upload your files and use a bearer token for a third-party API — review privacy and token-handling before use.
Guidance: This skill appears to do what it claims: it calls a remote video-rendering API and uploads user files. Before installing, consider the following: (1) Privacy: any images, audio, or video you give will be sent to mega-api-prod.nemovideo.ai — avoid uploading sensitive material. (2) Token handling: NEMO_TOKEN is a bearer credential; if you allow the skill to obtain an 'anonymous' token, ask how/where that token is stored (memory vs disk). (3) Local file reads: the skill reads its own frontmatter and may check install paths and a config directory (~/.config/nemovideo/) — if that directory contains secrets, clarify whether the skill will read it. (4) Test first with non-sensitive media and a throwaway token/anonymous flow. (5) Ask the publisher (or the integrator) for a privacy/storage policy and whether uploaded media are persisted or used for model training. The only inconsistency found is the frontmatter declaring a config path while the registry summary lists none — request clarification. If these concerns are acceptable and you understand that files leave your device, the skill is coherent with its stated purpose.

Review Dimensions

Purpose & Capability: okThe skill is a cloud video-generation wrapper and only requests a single service credential (NEMO_TOKEN) and describes API endpoints for uploading, SSE, and rendering. These requirements align with generating videos on a remote service.
Instruction Scope: concernThe SKILL.md instructs the agent to upload user files (videos, images, audio up to ~200MB) and to exchange tokens with an external domain (mega-api-prod.nemovideo.ai). It also instructs reading the skill's YAML frontmatter and detecting install path for attribution headers. Those file reads are explainable for attribution, but the instructions will transmit user-provided files to an external service (privacy risk) and may read local paths/configs for attribution. The file-upload + external API calls are expected for the stated purpose, but users should be aware that potentially sensitive assets will be sent off-device.
Install Mechanism: okThere is no install spec and no code files — the skill is instruction-only, which means nothing is written to disk by an installer. This is the lowest install risk.
Credentials: noteThe only declared credential is NEMO_TOKEN (primaryEnv), which matches the described API usage. However, the SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) under metadata.requires, while the registry metadata summary said no required config paths — this discrepancy should be clarified (reading that directory could expose existing tokens or configs). Otherwise the requested environment access is proportionate.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It instructs saving a session_id for the session lifecycle (normal for remote APIs). There is no evidence it modifies other skills or system-wide settings.