Back to skill
Skillv1.0.0
ClawScan security
Japanese Ai Video Generator Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 25, 2026, 7:55 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's required credential and runtime instructions align with a cloud video-generation API and there is no installer or unrelated privilege request, but a small metadata inconsistency and the fact that it uploads user files to an external service warrant caution.
- Guidance
- This skill appears to do what it says: it sends text/images to nemo's API to generate videos and needs a NEMO_TOKEN (or will create a short-lived anonymous token). Before installing, confirm the vendor domain (mega-api-prod.nemovideo.ai) and privacy terms — anything you upload will be sent off-platform. Ask the author to clarify the configPaths reference (does it try to read ~/.config/nemovideo/?) and how file uploads are handled by the host (the skill mentions multipart file paths which you should not let the agent read from your local filesystem without explicit platform mediation). Prefer using an anonymous token or a limited scope token rather than long-lived secrets, and avoid uploading sensitive PII or secrets to the service. If you’re unsure about the domain or policy, don’t provide your permanent NEMO_TOKEN and revoke any tokens after testing.
Review Dimensions
- Purpose & Capability
- okThe skill is described as a cloud-hosted Japanese AI video generator and its instructions only call the nemo video API endpoints and require a NEMO_TOKEN. Requesting a token for the vendor API is proportionate to the stated purpose.
- Instruction Scope
- noteInstructions direct the agent to obtain an anonymous token if NEMO_TOKEN is absent, create sessions, stream SSE messages, and upload user-provided files (multipart or URL). Uploading user media to the vendor API is expected for this service, but the SKILL.md references local file paths for multipart uploads and a config path in frontmatter — confirm how the platform will mediate file access and whether the agent will attempt to read local paths directly.
- Install Mechanism
- okThere is no install spec and no code to download or run; this is instruction-only, which minimizes installation risk.
- Credentials
- noteOnly one credential (NEMO_TOKEN) is required, which is appropriate for a third-party API. However, SKILL.md metadata includes a configPaths entry (~/.config/nemovideo/) while the registry metadata reported 'none' for required config paths — this mismatch should be clarified (does the skill attempt to read that config directory?).
- Persistence & Privilege
- okThe skill is not marked always:true and does not request any elevated platform-wide privileges. Autonomous invocation is allowed (default) but not unusual; nothing indicates it attempts to alter other skills or global settings.