Skillv1.0.0

ClawScan security

Sora Ai Video Generator Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 5:05 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are internally consistent with a cloud-based AI video generator: it needs a NEMO_TOKEN, talks to nema/video backend endpoints, and uploads prompts/files for rendering.
Guidance: This skill appears to do what it says: it contacts nemo's cloud backend, creates or uses a NEMO_TOKEN, and uploads prompts and any files you provide to render videos. Before installing or using it, consider: (1) privacy—your prompts and uploaded media will be sent to an external service; (2) token creation—if you don't supply a token the skill will request an anonymous token from the provider automatically; (3) filesystem checks—it may look in common skill/install paths to populate attribution headers; and (4) billing/credits—check the provider's terms (the skill mentions 100 free credits and 7-day expiry). If you need strong guarantees about data residency or confidentiality, do not send sensitive files or prompts to this skill without verifying the service's policies.

Review Dimensions

Purpose & Capability: okName/description, required env var (NEMO_TOKEN), and referenced API endpoints all align with a cloud video-generation service. The declared config path (~/.config/nemovideo/) and primaryEnv match the stated purpose.
Instruction Scope: noteSKILL.md stays focused on session creation, SSE-based generation, uploads, polling and exports — all appropriate for video rendering. Two items to be aware of: (1) it instructs the agent to POST to an anonymous-token endpoint to create a NEMO_TOKEN when one is missing (i.e., the skill can bootstrap credentials and will perform outbound network calls), and (2) it suggests reading/detecting install paths to populate an X-Skill-Platform header, which implies the agent may inspect certain filesystem locations. Both are coherent with the skill's operation but increase outbound network and local filesystem access compared with a purely local-only helper.
Install Mechanism: okInstruction-only skill with no install spec or code files — nothing is written to disk by an installer. This is the lowest-risk install model.
Credentials: noteThe only required credential is NEMO_TOKEN, which is expected for a third-party cloud API. The skill also offers to obtain an anonymous token for you; that behavior is proportionate to its functionality but means prompts and any uploaded files will be sent to an external service and tied to a generated token. The declared config path is limited to the service's config directory and matches the skill's purpose.
Persistence & Privilege: okalways is false and there is no install-time persistence or modification of other skills. The skill can be invoked autonomously by the agent per platform defaults, which is expected for skills of this type.