Skillv1.0.0

ClawScan security

Free Video Generator Link · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 15, 2026, 7:25 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud video-generation service: it only needs a single service token and instructs the agent how to call that service, but using it will upload your text and images to an external API and create/consume bearer tokens.
Guidance: This skill will upload whatever text and images you provide to the external service at mega-api-prod.nemovideo.ai and will use a bearer token (NEMO_TOKEN) or create an anonymous token on your behalf — treat that token like a password. Before installing, verify you trust that service (there's no homepage listed), prefer supplying your own account token rather than relying on anonymous-token issuance, and avoid sending sensitive images or secrets. Because the skill is instruction-only, there is no local install to inspect; if you need stronger assurance, request a published homepage/source or test with non-sensitive sample files first.
Findings: [no_regex_findings] expected: The static scanner found no regex matches because this is an instruction-only skill (no code files). That is expected but means the analyzer couldn't inspect runtime network or file operations described in SKILL.md.

Purpose & Capability: okName/description (cloud video generation) match the declared requirement (NEMO_TOKEN) and the API endpoints in the instructions. No unrelated credentials or unusual binaries are requested.
Instruction Scope: noteInstructions stay within the video-generation workflow (auth, session creation, upload, render/export). They explicitly direct the agent to POST user-supplied files and text to https://mega-api-prod.nemovideo.ai and to generate anonymous tokens if no NEMO_TOKEN is provided. This is expected for the stated purpose but means user content and generated tokens are transmitted to an external service.
Install Mechanism: okNo install spec or external downloads are present (instruction-only). Nothing is written to disk by an installer step.
Credentials: noteOnly one environment variable is required (NEMO_TOKEN), which is proportionate to a hosted API. The skill will also generate and store an anonymous token if none is provided — that behavior is documented but you should be aware a bearer token will be created and used for uploads/renders.
Persistence & Privilege: okalways:false and no install-time persistence or modifications to other skills are requested. The skill asks to save session_id/state for its own session context, which is normal and limited in scope.