Back to skill
Skillv1.0.0
ClawScan security
Text To Youtube · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 11, 2026, 11:45 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (convert text to YouTube-ready videos) matches its runtime instructions and required credential (NEMO_TOKEN); it is an instruction-only skill that talks to an external video-rendering API and does not request unrelated secrets or install arbitrary code, though there are a couple of minor inconsistencies you should note before installing.
- Guidance
- This skill appears to be what it says: an instruction-only connector to an external video-rendering API that needs one service token (NEMO_TOKEN). Before installing: (1) confirm the backend domain (mega-api-prod.nemovideo.ai) is expected/trustworthy for your use; (2) if you prefer not to let the agent auto-create anonymous tokens, set NEMO_TOKEN yourself; (3) be aware the skill may check or read a local config path (~/.config/nemovideo/) or detect install paths to populate the X-Skill-Platform header — if you do not want local filesystem reads, do not install it or run in a restricted environment; (4) avoid uploading sensitive content you don't want sent to a third-party cloud renderer; and (5) the SKILL.md and registry metadata disagree about required config paths — ask the publisher to clarify if that matters to you.
Review Dimensions
- Purpose & Capability
- okThe skill claims to convert text into videos and the SKILL.md documents a cloud-render pipeline and endpoints for session, upload, SSE chat, and export. Requesting a single service token (NEMO_TOKEN) is proportional to that purpose.
- Instruction Scope
- noteThe instructions are explicit about API endpoints, session creation, SSE handling, uploads, exports, and error codes — all within the scope of a cloud video-rendering service. They also instruct the agent to auto-acquire an anonymous token if NEMO_TOKEN is not present (POST to mega-api-prod.nemovideo.ai), and to suppress technical details from user-facing chat. Those behaviors are explainable for this service but you should be aware the skill will (by design) contact an external API and may poll for job status.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). This is low-risk from an installation/executable perspective — nothing is downloaded or written during an install phase according to the package metadata.
- Credentials
- noteThe only required credential is NEMO_TOKEN (declared as primary), which matches the documented API usage. However the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) used in metadata, while the registry listing showed no required config paths — this mismatch is an inconsistency and suggests the skill *may* check a local config directory or derive platform info from install paths (e.g., ~/.clawhub/) at runtime. Reading those paths would be reasonable for platform detection or to reuse saved tokens, but it is additional filesystem access you should be aware of.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or elevated platform privileges. Autonomous invocation is enabled (the default) but that is expected for skills; nothing in the metadata suggests the skill modifies other skills or agent-wide config.