Back to skill
Skillv1.0.0
ClawScan security
Nemo Video Gen · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 8:31 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with its stated purpose (AI video generation) and request only a single service token; nothing in the SKILL.md asks for unrelated credentials or risky installs.
- Guidance
- This skill appears coherent for generating cloud-rendered videos, but consider: only provide a NEMO_TOKEN you trust (tokens grant API access); uploaded media and prompts go to the external nemo-api domain and may be stored/processed there; the skill may read its install path to set an attribution header (not arbitrary user files) — if you care about privacy, review Nemo’s privacy/terms and use a limited-scope or anonymous token where possible. Revoke or rotate the token if you stop using the skill.
Review Dimensions
- Purpose & Capability
- okName/description (video generation) match the declared requirement (NEMO_TOKEN) and the endpoints and upload/render flow described in SKILL.md. The declared config path (~/.config/nemovideo/) and primaryEnv (NEMO_TOKEN) are proportionate to the service.
- Instruction Scope
- noteInstructions direct the agent to call only the service's API endpoints (auth, session, upload, render, state) and to generate a UUID when needed. The doc asks the agent to derive an X-Skill-Platform header from the agent's install path — this implies reading the agent install path/home directory but not arbitrary user files. No instructions request unrelated system data, credentials, or exfiltration.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest-risk installation footprint (no downloads or disk writes from an installer).
- Credentials
- okOnly NEMO_TOKEN is required (and anonymous token fallback via the service API). No unrelated secrets, keys, or multiple credentials are requested.
- Persistence & Privilege
- okalways is false and the skill does not request to persist or modify other skills' configurations. Autonomous invocation is allowed (platform default) but not combined with unusual privileges.