Skillv1.0.0

ClawScan security

Free Generation Text · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 3:36 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with its stated purpose (generating videos via the NemoVideo API); it asks only for the service token and will call the documented API endpoints and upload files to that service.
Guidance: This skill appears to do what it says: it will send your text prompts and any uploaded files to mega-api-prod.nemovideo.ai and use a NEMO_TOKEN (or obtain a temporary anonymous token) to render videos. Before installing or using it, consider: (1) Do not upload sensitive or private data you wouldn't want sent to a third party; (2) only provide a permanent NEMO_TOKEN if you trust the nemo service — otherwise let the skill use anonymous tokens for transient jobs; (3) be aware the agent may access the skill file and detect install path for attribution headers (this is not access to other credentials); (4) verify the provider domain if you have concerns about data residency or privacy. If any of those are unacceptable, do not install or do not provide a persistent token.

Review Dimensions

Purpose & Capability: okThe name/description (text-to-video generation) aligns with the requested credential (NEMO_TOKEN) and the SKILL.md API calls to mega-api-prod.nemovideo.ai. The declared config path (~/.config/nemovideo/) and primaryEnv=NEMO_TOKEN are consistent with a client for that backend.
Instruction Scope: noteThe SKILL.md instructs the agent to: use NEMO_TOKEN or obtain an anonymous token via the provider's /auth/anonymous-token endpoint, create sessions, upload user files (multipart or URLs, up to 500MB), send SSE messages, and poll render endpoints. These actions are within the skill's purpose, but they do mean user-provided text and any uploaded files will be transmitted to the external nemovideo API. The skill also reads its own YAML frontmatter and probes an install path to set an attribution header — this requires local filesystem access to determine the install location, which is reasonable for attribution but worth noting.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files. That is the lowest-risk install mechanism: nothing is downloaded or written by an installer step.
Credentials: okThe only required environment credential is NEMO_TOKEN (the service token). If absent, the skill fetches an anonymous token from the provider. No unrelated secrets or multiple external credentials are requested.
Persistence & Privilege: okalways:false (default) and normal autonomous invocation are used. The skill does not request permanent system-wide privileges or modification of other skills' configs in its instructions.