Skillv1.0.0

ClawScan security

Ai Image Video Creator Job · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 5:26 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with an AI video-rendering integration (it needs a NEMO_TOKEN and calls nemovideo.ai endpoints); there are minor metadata inconsistencies and privacy considerations you should review before use.
Guidance: This skill appears to do what it says: it uploads your media to a nemovideo.ai API, creates sessions, renders on cloud GPUs, and returns download URLs. Before installing or using it: (1) Understand that your media and a token/session ID will be sent to and likely stored by mega-api-prod.nemovideo.ai — do not upload sensitive content unless you trust that service and its privacy policy. (2) Confirm whether the skill will persist tokens/session IDs on disk (SKILL.md hints at ~/.config/nemovideo/) and whether you are comfortable with that. (3) The skill's registry metadata omitted the config path that appears in the SKILL.md frontmatter; ask the publisher to clarify or update the registry entry. (4) Because the source/publisher is unknown, prefer using official/verified integrations for sensitive or proprietary media. If you want a higher-confidence assessment, ask the publisher for the service's documentation, privacy policy, and a canonical source URL for the endpoints used.

Review Dimensions

Purpose & Capability: okThe skill's name/description (turn images/clips into AI videos) matches the runtime behavior: it uploads media, creates sessions, streams edits, and starts renders on a remote rendering API. Requesting NEMO_TOKEN as the primary credential is proportionate for an API-backed service. One minor inconsistency: the registry metadata you provided lists no required config paths, but the SKILL.md frontmatter includes a configPaths hint (~/.config/nemovideo/). This is plausible (for storing session info) but should have been declared consistently in the registry metadata.
Instruction Scope: noteAll instructions confine themselves to the remote nemovideo.ai service: create or use an API token, open a session, upload files, send SSE messages, poll job status, and download results. The skill explicitly instructs not to print tokens/raw JSON. It also requires reading its own frontmatter (to send X-Skill-Source/X-Skill-Version) and detecting install path to set X-Skill-Platform; both are reasonable. The SKILL.md tells the agent to 'Save session_id' (persistent state) but doesn't specify exact storage location; combined with the frontmatter's configPaths this implies writing to ~/.config/nemovideo/ — the registry metadata earlier did not declare that, which is a scope/visibility mismatch you should be aware of.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written by an installer. That reduces installation-time risk.
Credentials: noteThe single required environment variable is NEMO_TOKEN (declared as primary), which is appropriate for a third-party API. The SKILL.md also describes generating an anonymous token via the service if NEMO_TOKEN is not present — expected behavior. The only proportionality concern is the implicit config path (~/.config/nemovideo/) mentioned in the skill frontmatter which may be used to store tokens or session IDs; that path was not listed in the registry-level required config paths, so verify what will be persisted on disk and where.
Persistence & Privilege: okThe skill does request that the agent save the session_id and use/store a token (either provided or fetched anonymously). That is normal for a service client and does not require 'always: true' or other elevated privileges. There is no indication it modifies other skills' configs or system-wide settings. Confirm how and where it persists session/token data (likely under ~/.config/nemovideo/ per the SKILL.md) if you need to control local persistence.