Skillv1.0.0

ClawScan security

Free Video Generator Like Grok · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 15, 2026, 6:40 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's actions (calling a third‑party video API and uploading user files) match its description, but small inconsistencies in declared metadata and instructions (local config path checks and install-path detection) warrant caution before use.
Guidance: This skill appears to do what it says: it will send your prompts and any uploaded media files to mega-api-prod.nemovideo.ai for cloud rendering and requires a NEMO_TOKEN (or it will request an anonymous token). Before installing, consider: (1) privacy: any files you upload will be sent to a third-party service—don’t upload sensitive personal or corporate data; (2) credentials: only provide a NEMO_TOKEN if you trust the service—prefer using an anonymous token or ephemeral credentials for testing; (3) filesystem access: the SKILL.md instructs deriving a platform header by probing common install directories and lists a config path (~/.config/nemovideo/) in its frontmatter even though the registry metadata omitted config paths—ask the publisher why the skill needs to read local paths and for explicit disclosure of any files it will access; (4) provenance: the skill has no homepage and unknown source—prefer skills from known publishers. Additional information that would raise confidence: a verified homepage or repository, clear registry metadata that matches SKILL.md (including any configPaths), and a publisher identity.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose—turning text prompts into cloud-rendered videos—matches the API endpoints and flows described in SKILL.md and the single required credential (NEMO_TOKEN). However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that is not listed in the registry's required config paths, which is an unexplained mismatch.
Instruction Scope: noteRuntime instructions are narrowly focused on authenticating (use NEMO_TOKEN or request an anonymous token), creating a session, streaming via SSE, uploading media, and requesting renders. These are coherent for a video generation skill. The instructions also tell the agent to derive X-Skill-Platform by probing common install directories (~/.clawhub/, ~/.cursor/skills/) — that implies reading local paths which is not declared elsewhere and expands the agent's filesystem access beyond the single env var.
Install Mechanism: okNo install spec or code is included (instruction-only), so there is no installer or archive download that would write new binaries to disk. This lowers risk compared with skills that fetch and run code.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared and used. The skill will also obtain an anonymous token if none is provided, which is reasonable. The frontmatter's mention of a config path (~/.config/nemovideo/) and the instruction to detect local install paths are not reflected in the registry's declared requirements—this mismatch could allow the agent to read local config files or paths not explicitly declared.
Persistence & Privilege: okThe skill is not always-enabled and uses normal model invocation. It does not request elevated or persistent system privileges in the metadata or instructions.