Skillv1.0.0

ClawScan security

Ai Video Generator Free Girl · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 5:59 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions generally match a cloud video-generation purpose, but there are metadata inconsistencies (an undeclared config path) and behaviors (automatic token acquisition, file uploads to an external API) that you should review before installing.
Guidance: Things to consider before installing: - Confirm the backend domain (mega-api-prod.nemovideo.ai) is a legitimate service you trust. This skill will upload any images/video you provide to that remote API. - Ask the author to explain the config-path discrepancy: SKILL.md metadata mentions ~/.config/nemovideo/ but the registry did not declare any required config paths. Ask whether the skill will read or write files there. - Decide whether you are comfortable with the skill creating an anonymous token itself (the skill can POST to an auth endpoint and obtain a short-lived NEMO_TOKEN), and understand that doing so allows the service to track usage tied to that token. - Because uploads contain images/videos of people, check the service's privacy, retention, and acceptable-use policies before sending sensitive content (especially minors or identifying information). - If you need stronger assurances, ask for (or audit) an installation spec or code that shows exactly what filesystem or network calls the skill makes; without code, the SKILL.md is the only runtime spec and you should trust it only if the provider is known and reputable.

Review Dimensions

Purpose & Capability: noteThe skill claims to generate AI videos and requires a NEMO_TOKEN, which is proportional to that purpose. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that is not reflected in the registry 'Required config paths' field — this mismatch is unexplained and could indicate the skill expects to read local configuration that wasn't declared.
Instruction Scope: noteInstructions are primarily API calls to a remote backend (session creation, SSE-based message sending, file upload, render polling). They instruct uploading user-supplied files (multipart local paths or URLs) and reading an environment var (NEMO_TOKEN). There is no explicit instruction to read arbitrary system files or other credentials, but the doc asks to 'auto-detect' platform from install path and references a local config path in metadata — both could require filesystem access if implemented. The skill also describes creating an anonymous token from the backend if NEMO_TOKEN is absent, which lets it operate without a pre-provisioned key.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by an installer here; runtime behavior depends on network requests.
Credentials: noteThe only declared credential is NEMO_TOKEN (primaryEnv), which is appropriate for calling the described API. That said, the skill can obtain an anonymous NEMO_TOKEN itself via the auth endpoint, so requiring the env var may be optional. The presence of a declared config path in the frontmatter (but not in the registry) is disproportionate unless the skill truly needs to read local nemovideo config; this should be clarified.
Persistence & Privilege: okalways:false and no install actions mean the skill does not request permanent platform-wide presence. Nothing in the SKILL.md attempts to modify other skills or system settings. Be aware autonomous invocation is allowed by default (normal), which would let the agent call these APIs without repeated prompts if granted.