Skillv1.0.0

ClawScan security

Ai Video Generator From Image · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 5:17 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with an external AI video generation service — it only needs a single service token and makes API calls to nemovideo.ai — nothing in the bundle strongly contradicts its stated purpose.
Guidance: This skill is coherent with its description: it uploads images to an external service (nemovideo.ai) and needs a single API token (NEMO_TOKEN). Before installing, confirm you are comfortable with: (1) sending images to an external 3rd-party service and their data/retention/privacy policies; (2) storing an API token (the skill may persist a session token/session_id for job tracking); (3) the domain in the SKILL.md (mega-api-prod.nemovideo.ai) — verify it is the legitimate service you expect. Note the small metadata mismatch (the frontmatter lists a config path though the registry metadata did not); ask the publisher to clarify whether any files are written to ~/.config/nemovideo/. If you need stronger assurances, request the publisher provide a canonical homepage, documentation, or a vetted install release (or run the skill in a restricted/test environment first).

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: the SKILL.md describes uploading images, creating a session, streaming SSE updates, and requesting renders from https://mega-api-prod.nemovideo.ai. The single required environment variable (NEMO_TOKEN) is directly tied to that API. Note: there is a minor metadata inconsistency — the registry summary lists no required config paths, but the SKILL.md frontmatter includes a configPaths value (~/.config/nemovideo/). This discrepancy should be clarified but does not by itself indicate misuse.
Instruction Scope: noteAll runtime instructions focus on interacting with the remote rendering API (auth, session creation, upload, SSE, render/export). The SKILL.md instructs the agent to generate an anonymous token if NEMO_TOKEN is missing and to save session_id. One operational detail asks the agent to auto-detect an install path to populate X-Skill-Platform — that may require inspecting agent environment or paths. This is a modest scope expansion (reading an install path) but still related to providing correct request headers. The doc also instructs not to print tokens/raw JSON, which reduces risk of accidental disclosure.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. The skill relies on outbound HTTP calls to a named domain (nemovideo.ai); no downloads or archive extraction are specified.
Credentials: okOnly NEMO_TOKEN is required (primaryEnv). That single credential matches the stated purpose (API access to the rendering service). The SKILL.md also documents a flow to obtain an anonymous token, which is consistent with requiring the token. There are no requests for unrelated secrets or multiple credentials.
Persistence & Privilege: okalways is false and the skill does not request system-wide privileges. It instructs the agent to persist session_id and token usage for the session lifetime, which is reasonable for a remote rendering workflow. The skill does not ask to modify other skills or global agent settings.