Skillv1.0.0

ClawScan security

Text To Video Ai 2026 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 5:23 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what its description says (connects to a cloud text-to-video API using a single NEMO_TOKEN) but has a few unexplained metadata and runtime details (declared config path, unknown upstream domain, anonymous-token flow) that don't fully line up with its stated scope — review before installing.
Guidance: This skill appears to implement a text→video API and asks only for a single NEMO_TOKEN, which is expected. Before installing: 1) Confirm the upstream domain (mega-api-prod.nemovideo.ai) and verify the provider and privacy/terms — the skill will transmit prompts and uploads to that endpoint. 2) Decide whether you want to supply your own NEMO_TOKEN instead of letting the skill obtain an anonymous token (the anonymous flow creates a token with limited credits). 3) Ask why the metadata declares ~/.config/nemovideo/ access; avoid granting access to directories containing other credentials unless you trust the provider. 4) Be cautious about uploading private or sensitive files (uploads go to the remote API). If you cannot verify the service/operator or the purpose of the configPath, treat this skill as untrusted.

Review Dimensions

Purpose & Capability: noteName/description match the runtime instructions: the skill talks to a remote text-to-video backend and uses a single bearer token (NEMO_TOKEN). However the metadata declares a required config path (~/.config/nemovideo/) even though the SKILL.md provides no steps that need that config; this is an unexplained mismatch.
Instruction Scope: okSKILL.md stays on-task: it checks NEMO_TOKEN, can obtain an anonymous token from the service if missing, creates sessions, uses SSE for generation, uploads user files, and polls exports. It does read the skill's YAML frontmatter (for X-Skill-Version/Source) and attempts to detect an install path to set X-Skill-Platform — those are reasonable but worth noting because they require reading the skill file and inspecting paths.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer step in the bundle itself.
Credentials: concernThe only declared required credential is NEMO_TOKEN (appropriate for a cloud API). But the metadata also lists a config path (~/.config/nemovideo/) that would grant access to local user config files (potentially sensitive). The SKILL.md does not justify reading that path. The skill also includes an anonymous-token acquisition flow that will create and store a token if one isn't provided — you should understand where that token lives and its privileges.
Persistence & Privilege: okalways:false and no install hooks are present. The skill does not request permanent platform-wide inclusion or modification of other skill configs. It will operate autonomously when invoked (platform default), which increases reach but is not itself unusual.