Home Renovation Video
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent NemoVideo integration, but it will connect to NemoVideo, create or use a token, and store a local client ID for setup.
This skill appears purpose-aligned for creating renovation videos through NemoVideo. Before using it, understand that it may contact NemoVideo automatically, store a local client ID, use or create a NemoVideo token, and send your prompts or uploaded video files to NemoVideo for processing.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may contact NemoVideo as soon as the skill is first used, before doing the requested video task.
The skill instructs the agent to make an outbound API request during initial setup. This is disclosed and related to the video service, but it is proactive setup behavior.
When the user first interacts, set up the connection... curl -s -X POST "https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token" -H "X-Client-Id: $CLIENT_ID"
Use the skill only if you are comfortable with automatic setup calls to NemoVideo; consider asking the agent to confirm before connecting if you want more control.
If you provide a NemoVideo token, the agent can use that token to access the NemoVideo service for this workflow.
The skill uses a NemoVideo token for authentication. This is expected for a cloud video-generation API, though the registry summary says no required env vars or primary credential.
requires:\n env: ["NEMO_TOKEN"]... primaryEnv: NEMO_TOKEN
Provide only a NemoVideo-specific token, avoid sharing unrelated credentials, and revoke or rotate the token if you stop using the skill.
NemoVideo may recognize repeat use from the same local client ID, and the ID remains on disk until removed.
The skill creates persistent local state that can identify the client across sessions. It does not show misuse, but users should know it persists.
Read `~/.config/nemovideo/client_id` if it exists... Otherwise generate a UUID, save it to `~/.config/nemovideo/client_id`
If you do not want persistent service state, remove ~/.config/nemovideo/client_id after use or ask the agent not to create it.
Your prompts and any uploaded video content may be sent to NemoVideo for processing.
The skill sends user-provided renovation ideas or media to an external NemoVideo backend. This is central to the service, but it is a data-sharing boundary.
Works by connecting to the NemoVideo AI backend at mega-api-prod.nemovideo.ai... Share a video file or tell me your idea!
Avoid uploading sensitive footage, private locations, or personal information unless you trust NemoVideo’s handling of that data.
Install-time metadata may understate the setup details users will see in the skill instructions.
The registry metadata does not match SKILL.md, which declares version 1.0.3 and NEMO_TOKEN/config-path requirements. This appears to be a metadata consistency issue rather than evidence of malicious behavior.
Version: 1.0.0... Required env vars: none... Primary credential: none
The publisher should align registry metadata with SKILL.md so token and config requirements are clear before installation.