Skillv1.0.0

ClawScan security

Free Video Generator Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 3:14 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions line up with its stated purpose: it needs a NEMO_TOKEN (or will request an anonymous token) and will upload user media to the nemo-video backend to produce downloadable MP4s.
Guidance: What to consider before installing: (1) This skill sends any media you upload to a third-party API at mega-api-prod.nemovideo.ai to generate videos — do not upload sensitive or private material unless you trust the service and its privacy policy. (2) You can supply a NEMO_TOKEN in your environment (long-lived) or let the skill obtain a 7-day anonymous token; prefer anonymous tokens if you want less persistent credentials. (3) The skill reads its own frontmatter and may detect install paths to set attribution headers — this is expected and limited, but it does touch a small set of local paths. (4) If you need to audit the network interaction, verify the domain, endpoints, and expected headers shown in SKILL.md. (5) Avoid putting other secrets in the environment; verify the provenance and permissions of any NEMO_TOKEN before adding it. If you want stronger guarantees, ask the skill author for a privacy/terms link or a signed release, or test with throwaway content and an anonymous token first.

Review Dimensions

Purpose & Capability: okThe skill is a cloud video-generation client. Requesting a single service credential (NEMO_TOKEN) and a config path (~/.config/nemovideo/) is consistent with a client that must authenticate to an external rendering API. No unrelated credentials or binaries are requested.
Instruction Scope: noteThe SKILL.md instructs the agent to: (a) use NEMO_TOKEN if present or obtain an anonymous token via POST to the vendor API, (b) create a session, (c) accept user files/URLs and upload them to https://mega-api-prod.nemovideo.ai and (d) poll for render completion. These instructions are within the skill's purpose. Important privacy/security note: the agent will transmit user-uploaded files (media) to a third-party API and may read the skill's YAML frontmatter and detect install path to populate attribution headers. That file/system access is limited in scope and expected for attribution, but users should understand media and metadata are sent to an external service.
Install Mechanism: okNo install spec or code is provided (instruction-only skill). Nothing is written to disk by an installer, which reduces risk. The skill will make network calls at runtime per the instructions.
Credentials: noteOnly NEMO_TOKEN is required (declared as primaryEnv). The metadata also lists ~/.config/nemovideo/ as a config path; reading a service-specific config directory is proportionate to the skill. Users should avoid placing long-lived, high-privilege credentials in environment variables unless they trust the service; the skill will also mint/use anonymous tokens if no env token is provided.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system-wide configurations. It will create ephemeral sessions with the backend but does not request persistent agent-level privileges.