Skillv1.0.0

ClawScan security

Free Video Dance Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 1:37 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared requirements and runtime instructions are consistent with a cloud-based video-generation service: it asks for one service token, uploads user media to nemovideo.ai endpoints, and has no installer — though there are small metadata inconsistencies and privacy implications to be aware of.
Guidance: This skill appears to do what it says: it will upload your photos/audio to mega-api-prod.nemovideo.ai, create a session, and return a rendered MP4. Things to consider before installing or enabling: 1) Privacy — any media you upload will be sent to an external service; don't upload sensitive images/audio. 2) Credential handling — the skill needs NEMO_TOKEN; if not provided it will create an anonymous token and use it for up to 7 days. Decide whether you want the agent to obtain and hold such tokens. 3) Metadata inconsistency — SKILL.md references a local config path (~/.config/nemovideo/) while the registry metadata did not; confirm whether the skill will read or write local config files (and avoid storing long-lived credentials on disk if you don't trust the source). 4) Source trust — there is no homepage or known publisher listed; if you need stronger assurance, request the skill's source or author information before installing. 5) If you proceed, prefer using a scoped/ephemeral token (or the anonymous flow) and avoid uploading private content.

Review Dimensions

Purpose & Capability: noteThe name/description (generate dance videos from photos/audio) match the endpoints and actions described in SKILL.md (upload, SSE messaging, render/export). Requiring a single NEMO_TOKEN is appropriate. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata earlier lists no required config paths — this mismatch is an inconsistency that could affect whether the agent reads or writes a local credential/config file.
Instruction Scope: noteRuntime instructions are narrowly focused on interacting with the nemovideo.ai API: creating a session, uploading files, streaming SSE events, and starting renders. The skill instructs generating an anonymous token when NEMO_TOKEN is absent and saving session_id. These actions are expected for this functionality, but they explicitly cause user media (images, audio, video) to be uploaded to an external service — a privacy/data-exfiltration concern inherent to the feature. The instructions do not ask for unrelated files or environment variables.
Install Mechanism: okNo install spec and no code files (instruction-only). This minimizes supply-chain risk — nothing is written to disk by an installer step beyond what the agent itself may store in memory or its own session storage.
Credentials: noteOnly NEMO_TOKEN is declared as required and is justified by the API's Bearer authentication. The SKILL.md also documents a flow to obtain an anonymous token via an API endpoint (acceptable for usage). The earlier-mentioned discrepancy about a config path in the SKILL.md frontmatter means the skill may expect or try to use a local config directory for stored tokens — this should be clarified before trusting persistent credentials on disk.
Persistence & Privilege: okalways is false and the skill does not request elevated persistent system privileges. It does store session_id in normal runtime state (expected for a session-based API). Autonomous invocation is allowed by default (not a problem on its own), so a valid NEMO_TOKEN would let the skill make API calls without repeated user prompts.