Skillv1.0.0

ClawScan security

Video Generator Ai Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 9:38 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud video-generation integration: it needs a NEMO_TOKEN and talks to nemovideo.ai endpoints, and there are no requests for unrelated credentials or risky install steps.
Guidance: This skill appears to do what it says: connect to nemovideo.ai, accept prompts/files, and return rendered video URLs. Before installing, confirm you trust the external service (mega-api-prod.nemovideo.ai) because the skill will upload media and use a bearer token that grants access to render and download content. Note the skill can create an anonymous NEMO_TOKEN automatically (100 free credits, 7-day expiry) — if you prefer manual control, provide your own token instead of allowing automatic anonymous auth. Also be aware of where tokens/sessions are stored (the skill references ~/.config/nemovideo/ and checks common skill install paths for attribution); if you have strict data-handling policies, avoid uploading sensitive media or run the skill in an environment you control.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (AI video generation) aligns with the environment variable it requires (NEMO_TOKEN) and the documented API endpoints. Minor metadata inconsistency: the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata above reported no required config paths — this is a small bookkeeping mismatch but not a functional red flag.
Instruction Scope: okThe SKILL.md instructs the agent to authenticate (using NEMO_TOKEN or by obtaining an anonymous token), create sessions, upload user-provided media, stream SSE from the backend, poll status, and return download URLs. All actions are consistent with a cloud rendering workflow; the instructions do not direct the agent to read unrelated system secrets or exfiltrate data outside the described endpoints. It does include logic to detect install/platform paths (~/.clawhub, ~/.cursor) to set X-Skill-Platform, which is reasonable for attribution.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files. No installers, downloads, or archive extraction occur — lowest-risk delivery model.
Credentials: okOnly one credential is required (NEMO_TOKEN), which is proportional to a cloud API integration. The SKILL.md also supports generating an anonymous token if none is present; this is consistent with the service's anonymous-auth model. There are no unrelated secret/env requests.
Persistence & Privilege: okThe skill does not request always:true or elevated privileges, and it does not instruct modifying other skills or system-wide settings. It will make network calls and may persist session state/tokens locally (expected for keeping sessions), but this is appropriate for its purpose.