Skillv1.0.0

ClawScan security

Ai Video Generator Free Luma · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 20, 2026, 12:29 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions align with its stated purpose (remote AI video generation) and request only one expected credential (NEMO_TOKEN); no install or unrelated credentials are requested.
Guidance: This skill appears to do what it says: it sends prompts and user media to mega-api-prod.nemovideo.ai for cloud rendering and requires a NEMO_TOKEN. Before installing or using it, consider: 1) Source verification — the registry entry has no homepage and the owner is unknown; verify the service is legitimate before uploading any private or sensitive media. 2) Privacy — your uploaded files (up to 200MB) and prompts are transmitted to an external service; don’t upload sensitive content unless you trust the provider. 3) Tokens — you can provide your own NEMO_TOKEN or allow the skill to obtain an anonymous 7-day token; treat any bearer token as sensitive. 4) Attribution headers — the skill will infer install path to set X-Skill-Platform, which may reveal some local path metadata. If any of these are unacceptable, do not install or use the skill. If you want greater assurance, ask the publisher for a homepage, privacy policy, or official docs and verify the API domain and endpoints before proceeding.

Review Dimensions

Purpose & Capability: okName/description describe a cloud video-generation service and the skill only requires a single service token (NEMO_TOKEN) and an optional config path for nemo—these are coherent with contacting a remote rendering API. No unrelated credentials or binaries are requested.
Instruction Scope: noteSKILL.md limits behavior to calling the nemovideo API, uploading user media, creating sessions, and polling renders. It instructs generating an anonymous token if none is present and to store the session_id. It also describes reading the skill frontmatter and inferring install path to populate attribution headers — that may reveal an install path (privacy note) but is functionally aligned with the export attribution requirement. All network sinks point to the named domain; the skill does transmit user files to that external service as part of normal operation.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing will be written to disk or downloaded by the skill itself as part of install.
Credentials: okOnly NEMO_TOKEN is required (declared as primaryEnv). Requesting a single bearer token is proportional for a remote API service. The skill also supports auto-obtaining a short-lived anonymous token when none is provided, which is consistent with the stated workflow.
Persistence & Privilege: okThe skill does not request always:true or escalated privileges. It instructs storing a session_id for the user session (expected for multi-step API flows) and otherwise does not modify other skills or system-wide settings.