Skillv1.0.0

ClawScan security

Video Generator Free Ai Tools · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 5:36 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions match its stated purpose (cloud video generation) and request only a single service token; there are minor metadata inconsistencies but no clear signs of misdirection or excessive privilege.
Guidance: This skill appears to do what it says: it calls a third‑party API at https://mega-api-prod.nemovideo.ai to generate and return videos and requires a single service token (NEMO_TOKEN). Before installing or using it, consider: (1) The skill's source/homepage are unknown and the registry owner is an ID only — verify you trust nemovideo.ai and the skill publisher. (2) Prefer using the anonymous starter token (the skill can obtain one) rather than exposing a long‑lived personal NEMO_TOKEN tied to your account. (3) The SKILL.md frontmatter mentions a local config path (~/.config/nemovideo/) though the registry didn't — this metadata mismatch is minor but worth noting. (4) The skill will upload media you provide to the service — do not send sensitive or confidential videos/images unless you accept the service's data handling. (5) If you want extra caution, run the skill in an environment with network monitoring or in a sandbox and review the service's privacy/terms before sending private content.

Review Dimensions

Purpose & Capability: noteThe name/description (cloud video generation) align with the runtime actions (calls to a nemo-video API, upload, export, SSE). Requiring a NEMO_TOKEN is appropriate. Minor inconsistency: the skill's SKILL.md frontmatter references a config path (~/.config/nemovideo/) that the registry metadata did not list in required config paths — this is a small mismatch in metadata but not evidence of malicious intent. The requirement to supply X-Skill-* attribution headers is unusual but consistent with the described backend behavior.
Instruction Scope: okThe SKILL.md only instructs the agent to call the nemo backend endpoints (session, upload, SSE, render polling), obtain an anonymous token if NEMO_TOKEN is absent, and translate GUI actions to API calls. It does not instruct reading unrelated filesystem paths or other environment variables beyond NEMO_TOKEN. Error handling and SSE polling behavior are specific and scoped to the service.
Install Mechanism: okNo install spec or code files are present; this is an instruction-only skill. That is the lowest-risk install model: nothing is written to disk by the skill package itself.
Credentials: okOnly one credential is requested (NEMO_TOKEN) and it is the primary credential for the described cloud service. The agent may acquire a short-lived anonymous token via the service's anonymous-token endpoint if no token is provided; that behavior is explained and matches the use-case. No unrelated secrets or multiple external credentials are requested.
Persistence & Privilege: okalways:false and normal autonomous invocation are used. The skill does not request persistent system-wide privileges or modifications to other skills. Autonomous invocation is the platform default and, by itself, is not a concern here.