Skillv1.0.0

ClawScan security

Free Video Generation Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 10, 2026, 9:39 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a video-generation API integration: it only needs a NEMO_TOKEN and talks to the stated remote endpoints, but it does read/write small local state and will send user media to an external service — review what you upload and where tokens/sessions are stored.
Guidance: This skill is consistent with its stated purpose but it sends your prompts and any uploaded media to https://mega-api-prod.nemovideo.ai and uses a bearer token (NEMO_TOKEN). Before installing: 1) Only provide NEMO_TOKEN; do not supply other credentials. 2) Understand that uploaded media and prompts will be transmitted to an external service — avoid sending sensitive data. 3) Confirm where session tokens or anonymous tokens are stored (metadata mentions ~/.config/nemovideo/); if you’re uncomfortable, run it without persistent storage and revoke tokens after use. 4) The skill inspects its install path to set an attribution header — this requires reading local skill/install file locations; if that’s a concern, review or sandbox the agent environment. 5) If anything unexpected is stored or transmitted, revoke the token and stop using the skill.

Purpose & Capability: okName/description (generate videos from text) match the declared env var (NEMO_TOKEN) and the SKILL.md instructions that call a remote video-rendering API. The required credential is proportionate to a remote service that uses bearer tokens.
Instruction Scope: noteInstructions are focused on creating sessions, streaming SSE edits, uploads, and exports to the nemovideo API. Minor scope notes: the skill asks to detect an install path to populate an attribution header and to 'save session_id' (no explicit secure storage location specified). It will send user-provided media and prompts to the external API — this is expected but important to note for privacy.
Install Mechanism: okNo install spec or downloaded code — instruction-only skill. This minimizes disk-write/installation risk.
Credentials: okOnly NEMO_TOKEN is required (declared as primaryEnv). No unrelated credentials or broad environment access are requested. Metadata lists a config path (~/.config/nemovideo/) which is plausible for storing session state but should be confirmed.
Persistence & Privilege: notealways:false (normal). The SKILL.md indicates it will generate anonymous tokens and 'save session_id' and the metadata references a config path — the skill may persist session data locally. This is reasonable but you should confirm where/when tokens or session IDs are written and how to delete them.