Skillv1.0.0

ClawScan security

Prompt Generator Skill Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 12:03 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud video-prompt generator: it needs a single service token (NEMO_TOKEN), connects to a nemo video API, uploads media, and polls render/export endpoints — nothing requested appears disproportionate, though there are a few small inconsistencies you should review before installing.
Guidance: What to check before installing: 1) Confirm you trust the API host (mega-api-prod.nemovideo.ai) — the skill will send media and prompts there and will accept tokens. 2) Prefer using a short-lived or anonymous token rather than a long-lived production NEMO_TOKEN with broad privileges. The skill can obtain a 7-day anonymous token automatically; that is safer if you don't want to expose a permanent secret. 3) Clarify the config-path inconsistency: SKILL.md lists ~/.config/nemovideo/ while the registry summary said none — ask the publisher whether the skill will read files from that directory and what it does with them. 4) If you care about filesystem privacy, ask whether the skill will probe install paths (it does check common skill install locations to set X-Skill-Platform) and whether any local files will be uploaded. 5) Verify the headers and attribution requirements (X-Skill-Source/Version/Platform) are only used for analytics/attribution and not for leaking other info. If any answers are missing or the host is unfamiliar, treat network traffic as potentially sensitive and avoid supplying a long-lived production token.

Review Dimensions

Purpose & Capability: okName and description (generate video prompts / cloud render pipeline) align with required credential (NEMO_TOKEN) and the HTTP endpoints the SKILL.md instructs the agent to call. The skill's metadata indicates a config path (~/.config/nemovideo/) and a single primary env var NEMO_TOKEN, which is reasonable for a client for a video-rendering SaaS. Note: the registry summary provided with the skill said 'Required config paths: none' but the SKILL.md metadata lists a config path — this mismatch should be clarified.
Instruction Scope: noteInstructions are focused on API interactions needed to create sessions, upload media, ask for SSE-based generation, check credits and export renders. The skill also instructs the agent to read its own frontmatter (SKILL.md) for version and to detect install path (to set X-Skill-Platform). Reading its own file is reasonable; probing install-paths and ~/.config/nemovideo/ is narrow but does involve checking the filesystem and could reveal directory layout or existing nemo config. The instructions do not ask the agent to read arbitrary user files or unrelated secrets, nor to exfiltrate data to endpoints other than the nemo API.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, which is low-risk from an install/execution perspective (nothing is written to disk by an installer).
Credentials: noteOnly one credential is declared (NEMO_TOKEN) and is directly used for API Bearer auth — proportionate for a cloud service client. The skill will generate or request an anonymous token if NEMO_TOKEN is absent. The only proportionality warning: SKILL.md metadata references a config path (~/.config/nemovideo/) which may contain other user credentials or settings; the registry summary omitted this path. Confirm whether the skill will read files from that directory and what it will do with their contents.
Persistence & Privilege: okThe skill is not always-enabled and does not request system-wide persistence. It does not ask to modify other skills or system-wide agent settings. Autonomous invocation is permitted by default (disable-model-invocation: false), which is normal for skills; this is not flagged on its own.