Skillv1.0.0

ClawScan security

Video Generator Free No Limits · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 5:20 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions mostly match a cloud video-generation purpose, but there are small inconsistencies around declared config paths and filesystem access that the user should understand before installing.
Guidance: This skill appears to do what it says (cloud video creation) and only needs a NEMO_TOKEN to call nemovideo.ai, but there are a few things to check before using it: 1) Confirm you trust the domain https://mega-api-prod.nemovideo.ai — the skill will send Bearer tokens there. 2) The SKILL.md references a local config path (~/.config/nemovideo/) and asks the agent to detect install paths to populate attribution headers; the registry metadata did not list that path — ask the publisher why filesystem reads are needed. 3) Prefer using the anonymous/ephemeral token path if you don't want to expose a persistent or shared token; do not reuse high-privilege tokens as NEMO_TOKEN. 4) Because this is instruction-only, there is no installer risk, but the agent will perform network calls and local path checks at runtime — consider running in a sandbox or reviewing network logs if you have sensitive local data. If you want to proceed, ask the publisher to clarify the config-path usage and whether the skill ever persists tokens to disk.

Review Dimensions

Purpose & Capability: noteName/description (generate videos from text/images) aligns with the actions the SKILL.md describes (upload files, SSE, render/export endpoints). However the frontmatter in SKILL.md declares a config path (~/.config/nemovideo/) and asks the agent to read YAML frontmatter/installation paths for attribution headers; the registry metadata reported no required config paths. This mismatch is unexplained.
Instruction Scope: noteAll runtime instructions are focused on the nemovideo.ai API (auth, session creation, upload, SSE, render). That is consistent with the stated purpose. The instructions also direct the agent to detect an install path (~/.clawhub, ~/.cursor/skills/) and read this file's YAML frontmatter at runtime to populate attribution headers — this requires local filesystem inspection of agent paths, which is not strictly necessary to perform a video render and is worth noting.
Install Mechanism: okInstruction-only skill with no install spec and no code files. Lowest install risk — nothing is written to disk by an installer.
Credentials: noteThe only declared credential is NEMO_TOKEN, which is appropriate for a cloud video API. But the SKILL.md frontmatter references a config path (~/.config/nemovideo/) that the registry did not list; the skill will also generate anonymous tokens if NEMO_TOKEN is missing. Verify you are not supplying a shared or high-privilege token, since the skill will send Bearer auth to the specified domain.
Persistence & Privilege: okSkill is not always-enabled and has no install-time persistence. It asks the agent to store a session_id (ephemeral) and to re-auth as needed. It does not request elevated host privileges or modifications to other skills.