Skillv1.0.0

ClawScan security

Free Video Generation Ai Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 12:25 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud video-generation agent: it needs a NEMO_TOKEN (or can obtain an anonymous token), makes API calls to a remote render service, and may read its own frontmatter and user upload files — nothing appears intentionally deceptive, but there are small inconsistencies and expected privacy considerations to review.
Guidance: This skill appears to do what it says: it will call an external API (mega-api-prod.nemovideo.ai) to generate videos. Before installing, consider: 1) only provide a NEMO_TOKEN if you trust the service — the token grants the skill authorization to act on your behalf; 2) the skill may upload files you provide (video/image/audio) and will read its own skill file and detect install path to add attribution headers; 3) if you don't provide NEMO_TOKEN, the skill will request an anonymous token that grants temporary credits — that involves contacting the vendor endpoint; 4) there is a small metadata mismatch about config paths between registry and SKILL.md that should be clarified. If you have privacy or network policy concerns, avoid supplying a permanent token and review network access to the external domain.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (text→video generation) aligns with required artifacts: a single NEMO_TOKEN credential and API calls to a remote video-rendering service. Minor inconsistency: the registry metadata listed no required config paths, but the SKILL.md frontmatter declares a configPaths entry (~/.config/nemovideo/). This difference is likely a metadata mismatch but should be reconciled.
Instruction Scope: noteSKILL.md instructs the agent to use NEMO_TOKEN (or obtain an anonymous token via POST to the vendor API), create sessions, post SSE messages, upload user files (multipart), poll render endpoints, and read the skill's YAML frontmatter to populate attribution headers. These actions are within the stated purpose (rendering videos) but do require filesystem access for uploads and reading the skill file; the agent is also instructed to detect install path to set X-Skill-Platform — this filesystem probing is peripheral to core functionality and worth noting.
Install Mechanism: okThere is no install spec and no code files — instruction-only skill. This is low-risk from an installation perspective because nothing is downloaded or written to disk by an installer.
Credentials: okOnly one credential is declared (NEMO_TOKEN) and it is appropriate for a cloud API service. The SKILL.md's fallback behavior (obtain an anonymous token) is coherent. No unrelated secrets or broad credential access are requested.
Persistence & Privilege: okThe skill is not always-enabled and does not request system-wide persistence. It does instruct reading its own metadata and detecting install location to set an attribution header, which is limited in scope and not an elevation of privilege.