Skillv1.0.0

ClawScan security

Video Text Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 3:17 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-based video text-overlay service, but there are small documentation inconsistencies and it will make automatic network calls that store session tokens — review before use and avoid sending sensitive videos if you are unsure.
Guidance: This skill acts as a client for a cloud rendering service (mega-api-prod.nemovideo.ai). Before installing: (1) Understand that your video files will be uploaded to that third-party service and rendered there — do not send confidential or restricted videos. (2) The skill will use or obtain a NEMO_TOKEN (it can auto-create an anonymous token if you don't provide one) and will store session state; consider providing your own token if you want control and know how to revoke it. (3) There is a minor metadata mismatch (SKILL.md references ~/.config/nemovideo/ while the registry did not) — ask the publisher where tokens/sessions are stored and how they are protected. (4) If you are comfortable with those network calls and storage behaviors and trust the external service, the skill appears coherent for its stated purpose; otherwise decline or sandbox it and verify where tokens/files are kept.

Review Dimensions

Purpose & Capability: noteThe skill is an instruction-only front-end for a remote video rendering API and only requests a single service token (NEMO_TOKEN), which matches the described purpose. Minor inconsistency: registry metadata listed no required config paths, but the SKILL.md frontmatter lists a config path (~/.config/nemovideo/), which is plausible for storing session/token data but is not declared in the registry entry.
Instruction Scope: noteSKILL.md instructs the agent to upload user video files, create sessions, post SSE messages, poll renders, and optionally auto-create an anonymous token by POSTing to an external API. These actions are necessary for the described cloud rendering; however, the skill also directs the agent to automatically obtain and persist tokens/session IDs and explicitly instructs not to display raw tokens to users, which is a behavior you should be aware of (it involves network calls and storing credentials/session state).
Install Mechanism: okNo install spec or code files; instruction-only skill. This is the lowest-risk install mechanism because nothing is written to disk by an installer. Runtime network calls still occur per the instructions.
Credentials: noteOnly one environment variable (NEMO_TOKEN) is required, which is proportional for a remote API. The SKILL.md will create an anonymous token if NEMO_TOKEN is absent — reasonable but means the agent will call an external auth endpoint automatically. Also note the frontmatter references a config path (~/.config/nemovideo/) that could be used to persist tokens/sessions; the registry did not list this path, creating a minor mismatch to verify.
Persistence & Privilege: okalways:false and no requests to modify other skills or global agent settings. The only persistence behavior described is storing a session_id / token for subsequent requests (expected for this use-case). Autonomous invocation is allowed by default but not elevated here.