Skillv1.0.0

ClawScan security

Video Generator Cartoon Browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 3:19 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions generally match a cloud video generator, but there are inconsistent manifest claims (a referenced config path in the skill frontmatter vs. registry metadata) and a lack of source/homepage which merit caution before installing.
Guidance: This skill's behavior generally fits a cloud video-generation API, but there are a few red flags to resolve before installing: 1) ask the publisher to explain the discrepancy between the SKILL.md frontmatter (which lists ~/.config/nemovideo/) and the registry metadata (which shows no config paths) — does the skill read that local directory? 2) there's no homepage or verifiable source listed; prefer skills with an official project page or vendor. 3) if you must provide a NEMO_TOKEN, use a scoped/dedicated token (not a high-privilege or long-lived account credential) and confirm how/where session tokens are persisted. 4) ask for a clear privacy statement about what user files and metadata are uploaded to the remote API and whether any usage/analytics are retained. If the publisher satisfactorily explains the config-path mismatch and provides provenance, the skill appears coherent for its stated purpose.

Review Dimensions

Purpose & Capability: noteName/description (cartoon video generation) aligns with the API endpoints and the single required credential (NEMO_TOKEN). However the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) that suggests the skill may read a local config directory; the registry metadata shown to you earlier did not list any required config paths — this mismatch is unexplained.
Instruction Scope: okSKILL.md instructs the agent to obtain/use NEMO_TOKEN, create sessions, upload user-supplied media, stream SSE responses, and poll render status — all appropriate for a cloud video service. The instructions do not request reading arbitrary user files or unrelated environment variables. They do instruct generating/storing session_id and token values (no explicit persistence location specified).
Install Mechanism: okNo install spec or code is provided (instruction-only), so nothing is written to disk by an installer. This minimizes file-system risk compared with arbitrary downloads.
Credentials: concernOnly one credential (NEMO_TOKEN) is declared which is proportionate for a remote API. The concern is the frontmatter's configPaths entry referencing ~/.config/nemovideo/ (possible local credential/cache access) while the registry displayed no required config paths — that inconsistency could indicate either stale metadata or an intent to access local config, and should be clarified.
Persistence & Privilege: okalways:false and normal autonomous invocation settings. The skill asks to 'save session_id' and use tokens; it does not request elevated system privileges or to change other skills. Clarify where session tokens are stored and for how long.