Skillv1.0.0

ClawScan security

Jupiter Ai Text To Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 17, 2026, 5:31 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud text→video service: it needs a NEMO_TOKEN and calls nemovideo.ai endpoints to create sessions, upload files, and render videos.
Guidance: This skill appears to do what it says: it calls a nemo/nemovideo cloud API to turn text and uploaded files into rendered videos. Before installing, consider: (1) it will contact https://mega-api-prod.nemovideo.ai and may create an anonymous token automatically if you don't provide NEMO_TOKEN — only install if you trust that remote service; (2) uploading files reads content you provide (do not upload secrets or private documents); (3) verify whether you want the agent to automatically obtain ephemeral tokens on your behalf; (4) note the small metadata mismatch: SKILL.md references ~/.config/nemovideo/ while registry metadata reported no config paths — this is likely harmless but you may ask the publisher to clarify. If you have a real NEMO_TOKEN for an account, supply it only if you trust the service and understand that rendered media and inputs will be transmitted to their servers.

Review Dimensions

Purpose & Capability: okThe skill claims to generate videos from text and its instructions only reference endpoints and actions that match that purpose (session creation, SSE messaging, upload, render, credits). Requiring a NEMO_TOKEN (primary credential) is appropriate for a cloud API service.
Instruction Scope: noteThe SKILL.md directs the agent to call external APIs at mega-api-prod.nemovideo.ai, create anonymous tokens if NEMO_TOKEN is missing, create sessions, upload files (multipart or URL), stream SSE responses, and poll render status. These actions are within the stated purpose. Note: uploads reference local file paths (e.g., -F "files=@/path") which implies the agent may read files the user supplies or file paths given by the user — avoid sending sensitive files. The file also instructs auto-detection of an install path for X-Skill-Platform which may require inspecting the environment/install path.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk install model.
Credentials: noteOnly one credential is declared (NEMO_TOKEN), which is appropriate for a service API. The instructions also support generating an anonymous token via the anonymous-token endpoint when NEMO_TOKEN is absent — this is consistent but means the skill will reach out to the network to obtain ephemeral credentials if not provided. Minor metadata inconsistency: the registry metadata listed no required config paths, but the SKILL.md frontmatter references ~/.config/nemovideo/.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request persistent system privileges or claim it will modify other skills or system-wide settings. Autonomous invocation is allowed (the platform default) but not combined with other high-risk indicators here.