Skillv1.0.0

ClawScan security

Deepseek Text Tovideo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 23, 2026, 4:44 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are internally consistent with a text→video cloud-rendering integration and ask for only one service token (NEMO_TOKEN), so it appears to do what it says.
Guidance: This skill looks coherent: it sends prompts and uploaded files to a single remote video-rendering API and requires one service token (NEMO_TOKEN). Before installing, consider: (1) verify the service/domain (mega-api-prod.nemovideo.ai) is trustworthy; (2) avoid supplying high-privilege or long-lived credentials — prefer the anonymous token flow or a dedicated limited-scope token; (3) any text or files you upload will be transmitted to the remote service, so don't upload sensitive data; (4) the skill will store a session_id and use your token for requests — if you want to revoke access later, delete the token or rotate credentials; (5) if you need stronger assurance, ask the publisher for a privacy/security policy or a public homepage/source before use.

Purpose & Capability: okName/description match the behavior in SKILL.md: all API endpoints, session handling, uploads, SSE, and export flows point to a single remote video-rendering service. The single required env var (NEMO_TOKEN) and the declared config path (~/.config/nemovideo/) are proportionate to a remote render service.
Instruction Scope: okRuntime instructions stay within the stated purpose: create/renew a service token (anonymous or provided), create a session, send messages/uploads, poll export status. The skill asks to read its own YAML frontmatter and detect an install path (to set attribution headers), which is reasonable for attribution; it does not instruct reading unrelated system files or other secrets.
Install Mechanism: okInstruction-only skill with no install spec and no code files. No downloads or archive extraction are performed, which is the lowest-risk install profile.
Credentials: okOnly NEMO_TOKEN is required and is documented as the primary credential. The skill documents how to obtain an anonymous short-lived token if none is provided. No unrelated credentials or wide-ranging environment access are requested.
Persistence & Privilege: okalways:false and normal autonomous invocation are used. The skill instructs saving a session_id (expected for job polling); it does not request persistent elevated platform privileges or to modify other skills.