Skillv1.0.0

ClawScan security

Joyfun Ai Text To Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 10:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions and required credential (NEMO_TOKEN) are consistent with a cloud text→video integration, but there are small metadata inconsistencies, an unknown external API host with no homepage/source, and ambiguous persistence instructions — review before installing or providing tokens.
Guidance: This skill behaves like a normal cloud text→video integration, but before installing you should: (1) confirm the API domain and owner (no homepage/source is provided); (2) avoid sending sensitive content — the skill uploads your text/files to mega-api-prod.nemovideo.ai; (3) verify how and where session_id or tokens are persisted (memory vs disk); (4) confirm whether the skill will read/write ~/.config/nemovideo/ since SKILL.md frontmatter mentions it but registry metadata does not; (5) provide a dedicated, limited-scope NEMO_TOKEN (or use anonymous token flow) rather than reusing high-privilege credentials; and (6) ask the publisher for source code or documentation and a privacy policy before trusting production data.

Review Dimensions

Purpose & Capability: noteThe name/description match the runtime instructions: the SKILL.md describes a text-to-video cloud API and the skill requires a single NEMO_TOKEN credential, which is proportionate. However, the package has no homepage or source URL and the SKILL.md frontmatter lists a configPath (~/.config/nemovideo/) that is not reflected in the registry metadata — an inconsistency worth clarifying.
Instruction Scope: concernRuntime instructions direct the agent to perform many network actions (anonymous-token creation, session creation, SSE streaming, file upload, exporting, polling) to https://mega-api-prod.nemovideo.ai and to save session_id. The skill does not request unrelated files or extra environment variables, but it will transmit user-provided text/files to a third-party API (no homepage or privacy info included). It also instructs deriving attribution headers from the YAML frontmatter and detecting an install path to set X-Skill-Platform — this platform-detection step is odd for an instruction-only skill and may be brittle or leak environment details.
Install Mechanism: okNo install spec and no code files — lowest-risk installation surface. Nothing is written to disk by an installer. The primary runtime behavior is network I/O as described in SKILL.md.
Credentials: noteOnly one credential is declared (NEMO_TOKEN) which is appropriate for an API-backed video service. The instructions also allow creation of an anonymous token via the API (UUID client id → data.token). No other unrelated secrets or config paths are explicitly required, but the SKILL.md frontmatter suggests a config path (~/.config/nemovideo/) which contradicts the registry metadata — clarify whether local config will be read/written.
Persistence & Privilege: notealways:false (normal). The skill asks to 'Save session_id' but does not specify where — this likely means in the agent/session memory but could imply writing to disk or persistent config; clarify how session tokens are stored and for how long. There is no request to modify other skills or system-wide settings.