Skillv1.0.0

ClawScan security

Online Video Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 5:53 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly fits an online video-generator service, but there are metadata inconsistencies and the runtime instructions imply reading/writing local config and handling tokens — review token storage, config-path access, and the unknown service endpoint before installing.
Guidance: This skill mostly looks like a legitimate cloud video service integration, but you should: 1) Confirm the publisher/source and that mega-api-prod.nemovideo.ai is the intended endpoint. 2) Ask how and where the agent will store the anonymous token/session_id (environment variable vs disk, and whether it will persist beyond 7 days). 3) Verify you are comfortable with the skill reading install paths or writing to ~/.config/nemovideo/ (request explicit details). 4) If you prefer least privilege, avoid setting a long-lived NEMO_TOKEN in your environment and prefer ephemeral/anonymous tokens with limited scope; monitor any files created under your home directory after first run. If you can't get clear answers about token storage and config-path usage, treat the skill as higher risk and consider not installing it.
Findings: [no_code_files] expected: The scanner had no files to analyze; this is an instruction-only skill. Absence of regex matches does not guarantee safety — review SKILL.md behavior instead.

Review Dimensions

Purpose & Capability: noteThe declared primary credential (NEMO_TOKEN) and the SKILL.md HTTP endpoints (nemovideo API) align with an online cloud video rendering service. However the registry metadata earlier said 'Required config paths: none' while the SKILL.md frontmatter declares a config path (~/.config/nemovideo/), which is an inconsistency worth verifying with the publisher.
Instruction Scope: concernThe SKILL.md instructs the agent to obtain an anonymous token via POST and to 'save session_id' and use/store a NEMO_TOKEN. It also instructs detecting the install path to set X-Skill-Platform (reading home-directory paths). These are within the service's needs (auth and attribution) but they require the agent to read local paths and to persist short‑lived tokens/session IDs — ask how/where tokens/session IDs are stored and whether anything else is read or uploaded.
Install Mechanism: okInstruction-only skill; there is no install spec and no code files to write to disk, which lowers risk. No remote downloads or package installs are requested.
Credentials: noteOnly a single credential (NEMO_TOKEN) is declared, which matches the API usage. However the instructions describe creating an anonymous token and treating it as NEMO_TOKEN (implying creating/persisting a credential). Consider whether you want the agent to create or persist that token in your environment or on disk, and verify the token's scope and expiry semantics.
Persistence & Privilege: concernThe skill is not always-enabled and can be invoked by the user, which is normal. Still, it requests reading the agent's install path to populate X-Skill-Platform and references a local config directory in its frontmatter (~/.config/nemovideo/). That implies potential local filesystem reads/writes for attribution or token/session storage — confirm whether the skill will write tokens or session state to disk and whether it will access other local files.