Skillv1.0.0

ClawScan security

Ai Video Generator Free Brainrot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 11:04 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested credential and runtime behavior line up with a cloud video-rendering integration, though there are small metadata inconsistencies and it will send user media to a third-party endpoint you may want to verify before use.
Guidance: This skill routes your text and uploaded media to https://mega-api-prod.nemovideo.ai for processing and needs a NEMO_TOKEN (or will request an anonymous token automatically). Before installing, confirm you are comfortable with your media being sent to that domain and consider supplying your own token if you trust an account you control. Also note the minor metadata mismatch (config path listed in SKILL.md frontmatter but not in registry): it's likely harmless but worth asking the publisher to clarify. If you need higher assurance, verify the nemovideo.ai service and privacy policy or test with non-sensitive content first.

Review Dimensions

Purpose & Capability: okThe skill asks for a NEMO_TOKEN and calls a nemovideo.ai API to create sessions, upload media, and export rendered videos — this matches a cloud video-generation purpose. One minor inconsistency: the registry metadata listed no required config paths, but the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) in its metadata; this mismatch is likely a packaging/metadata error but should be noted.
Instruction Scope: okAll runtime instructions are scoped to interacting with the nemovideo.ai backend (session creation, SSE chat, uploads, export polling). The skill instructs obtaining an anonymous token if NEMO_TOKEN is absent, keeping session state, and uploading user-provided media. It does not instruct reading unrelated local files or other environment variables, but it does require detecting an install path to set an attribution header value — this may involve inspecting runtime paths.
Install Mechanism: okNo install steps or third-party downloads are declared (instruction-only). That minimizes disk persistence and installation risk.
Credentials: okOnly a single credential (NEMO_TOKEN) is required; the SKILL.md explains how to fetch an anonymous token if not provided. That is proportionate for a cloud API integration. There are no other unexpected SECRET/TOKEN environment variables requested.
Persistence & Privilege: okThe skill is not always-enabled and uses normal autonomous invocation settings. It does not request elevated system privileges or claim to modify other skills or global agent settings.