Skillv1.0.0

ClawScan security

Ai Video Generator Free Lifetime · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 5:08 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared requirements and metadata mostly match its stated video-rendering purpose, but small inconsistencies (required NEMO_TOKEN vs. auto-creation flow, a declared configPath that the instructions don't use) and the fact that it will upload user files and request a Bearer token suggest you should review token use and data-exfiltration implications before installing.
Guidance: This skill will send your text and any images you provide to https://mega-api-prod.nemovideo.ai and will use a Bearer token named NEMO_TOKEN (or create an anonymous token for you). Before installing: 1) Decide whether you are comfortable uploading the images/content to that external service and check their privacy/retention policy; 2) Do not put other sensitive credentials into NEMO_TOKEN — prefer a dedicated, limited token or let the skill use its anonymous token flow; 3) The metadata mentions ~/.config/nemovideo/ even though the runtime steps don't use it — avoid granting the agent access to unrelated config dirs; 4) Because this is instruction-only, no local code runs, but the agent will make network calls and upload files, so treat it like a network-connected plugin. If you need higher assurance, request the service's owner/source and a privacy/terms link before proceeding.

Review Dimensions

Purpose & Capability: noteName/description align with a cloud video-rendering service and the declared primary credential (NEMO_TOKEN) and API host match that purpose. However the metadata requires NEMO_TOKEN while the instructions describe an anonymous-token acquisition flow when NEMO_TOKEN is absent — that's inconsistent but explainable (it allows either pre-provisioned tokens or anonymous use). The metadata also lists a config path (~/.config/nemovideo/) that is not referenced in the runtime instructions, which is unexpected.
Instruction Scope: okSKILL.md contains detailed runtime instructions limited to interacting with the external nemovideo API: creating sessions, sending SSE messages, uploading files, polling renders, and reporting credits/status. It does not instruct reading unrelated system files or other credentials. It will upload user-provided images/files and transmit them to the external service — that is necessary for the stated function but has privacy implications.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing gets written to disk by an installer. That lowers local install risk.
Credentials: concernThe skill declares a single primary credential (NEMO_TOKEN), which fits a cloud API integration. But the metadata's required env var plus a fallback anonymous-token flow is inconsistent: the skill will create/use an anonymous token if NEMO_TOKEN is not present. The metadata also lists a config path (~/.config/nemovideo/) that the instructions do not actually reference — requesting access to a user config directory without justification is disproportionate. Also note that if you set NEMO_TOKEN it will be used as a Bearer token for all requests, so don't set a high-privilege/long-lived secret here unless you intend uploads and renders to use it.
Persistence & Privilege: okalways is false and the skill does not request or attempt to modify other skills or system-wide settings. It does not require persistent installation or elevated privileges in the agent.