Back to skill
Skillv1.0.0
ClawScan security
Generateur Video Ia · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 10, 2026, 3:24 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This instruction-only skill is internally consistent with its stated purpose: it requires a single service token, calls the nemovideo.ai API to upload/process media, and has no install steps or unrelated credential requests.
- Guidance
- This skill will upload user-provided media and text prompts to https://mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (or it will obtain an anonymous token for you). Before installing: 1) Only send non-sensitive content (marketing/media is fine; do not upload private documents or credentials). 2) Verify you trust the nemovideo.ai service and its privacy/storage policy (uploaded files and render job IDs are stored server-side). 3) Prefer using a throwaway/anonymous token if you don’t want to expose a long-lived credential. 4) Be aware the skill will make network calls and may expose basic agent environment info (install path detection) to the service. 5) If you need stronger assurance, request the skill’s source/homepage or test with minimal, non-confidential files first.
Review Dimensions
- Purpose & Capability
- okName/description, declared env var (NEMO_TOKEN), and documented API endpoints all match an AI video generation service. No unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md directs the agent to authenticate (use NEMO_TOKEN or request an anonymous token) and to upload user media and drive render jobs via the nemovideo.ai endpoints. These actions (including SSE handling and polling) are expected for the stated functionality. Note: the skill will transmit user files and prompts to an external service—this is expected but privacy-relevant.
- Install Mechanism
- okInstruction-only skill with no install spec or code files; nothing is written to disk by an installer. This is the lowest-risk install profile.
- Credentials
- okOnly NEMO_TOKEN is required (declared as primaryEnv). The fallback anonymous-token flow is documented. No other secrets or unrelated environment variables are requested.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request permanent platform presence or attempt to modify other skills or system configuration.