Skillv1.0.0

ClawScan security

Text To Video Bangla · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 15, 2026, 10:19 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a cloud-based Bangla text→video service (requires a NEMO_TOKEN and calls nemovideo.ai APIs), but small inconsistencies and opaque instructions (metadata vs registry mismatch, instructions to hide technical details, and guidance to probe install/config paths) merit caution before installing or providing credentials.
Guidance: This skill looks like a legitimate cloud text-to-video integration, but proceed cautiously: (1) The author/source and homepage are missing — verify the provider before giving credentials. (2) Only provide a NEMO_TOKEN if you trust the nemo service; prefer an ephemeral/limited token or anonymous flow for testing. (3) The skill may read standard install/config locations in your home (~/.clawhub, ~/.cursor, ~/.config/nemovideo/) to set headers — avoid installing or running it on machines with sensitive files you don't want inspected. (4) The SKILL.md asks the agent to hide technical details from the chat; expect some network activity to be opaque to end users. If you need higher assurance, ask the publisher for: a) an official homepage or privacy policy, b) clarification about the configPaths vs registry metadata mismatch, and c) what user data is retained by the backend and for how long.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (convert Bangla text to video) aligns with the runtime instructions that call a nemo video API and upload user files. Requiring NEMO_TOKEN and using cloud render endpoints is coherent. However, SKILL.md frontmatter lists a config path (~/.config/nemovideo/) and install-path detection rules (for X-Skill-Platform) while the registry metadata reported 'Required config paths: none' — that metadata mismatch is inconsistent and should be clarified.
Instruction Scope: noteInstructions are focused on session creation, SSE messaging, file upload, export polling, and credits — all expected for a cloud video renderer. Two points to note: (1) the agent is instructed to detect install path (~/.clawhub/ or ~/.cursor/skills/) to set an attribution header, which implies reading user home paths; (2) the SKILL.md explicitly tells the agent to 'keep technical details out of the chat', which can make the integration's network operations less visible to users. Both behaviors are plausible for the service but reduce transparency and slightly expand scope beyond pure 'take text and return a file'.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, which is the lowest install risk. There are no downloads or package installs referenced in SKILL.md.
Credentials: noteOnly one credential is declared (NEMO_TOKEN) and is used as the Bearer token for the described API — that is proportional. However, SKILL.md also describes acquiring an anonymous token when NEMO_TOKEN is absent (via a POST to /api/auth/anonymous-token), and the YAML frontmatter mentions a config path not reflected in the registry metadata. The mismatch between declared required config paths in the SKILL.md frontmatter and the registry metadata is inconsistent and should be reconciled.
Persistence & Privilege: okThe skill does not request 'always: true' or other elevated persistent privileges. It does suggest reading certain install/config locations to detect platform headers, which is limited in scope. Autonomous invocation is enabled but that is platform default and not by itself a flag here.