Skillv1.0.0

ClawScan security

Text To Video Nano Banana · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 5:58 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with its stated purpose (text → short video) and only require a single service token, though there are minor metadata inconsistencies and you should be aware it will transmit uploaded content to an external API.
Guidance: This skill will upload your text and any files you provide to an external service (mega-api-prod.nemovideo.ai) and will use a NEMO_TOKEN for authorization; if no token is present it will request an anonymous 7‑day token on your behalf. Before installing, consider: 1) Do you trust the nemovideo.ai service and its privacy/retention policy for whatever media you upload? 2) Only supply non-sensitive content or use a token tied to an account you control. 3) There's a minor metadata mismatch (SKILL.md references a local config path while the registry summary did not) — if you want reassurance, ask the publisher to clarify whether the skill will read ~/.config/nemovideo/ or other local paths. Otherwise the skill appears internally consistent with its stated purpose.

Review Dimensions

Purpose & Capability: okName/description match the instructions: the SKILL.md describes creating sessions, uploading text/files, SSE-driven generation, and exporting MP4s via the nemovideo.ai API. The only declared credential is NEMO_TOKEN, which is appropriate for a cloud video-generation backend.
Instruction Scope: noteRuntime instructions are detailed and stay within the service domain (nemovideo.ai): session creation, SSE messaging, uploads, credits check, render/export polling. The doc also instructs generating an anonymous token when NEMO_TOKEN is absent and to detect an install path to set an X-Skill-Platform header — the latter implies reading or inferring local paths (minor scope creep) but nothing outside the service domain is requested.
Install Mechanism: okThere is no install spec and no code files (instruction-only), so nothing is downloaded or written to disk by the skill itself. This is the lowest install risk profile.
Credentials: noteThe skill only requires one env var (NEMO_TOKEN), which is proportionate for a cloud API. Small inconsistency: the registry summary lists no required config paths, but the SKILL.md frontmatter mentions a config path (~/.config/nemovideo/). That discrepancy should be resolved, but it does not by itself indicate excess credential requests.
Persistence & Privilege: okalways:false and no install-time persistence are appropriate. The skill will create sessions and render jobs on the backend but does not request elevated platform privileges or permanent presence on the agent.