Skillv1.0.0

ClawScan security

Maker Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 5:36 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested credential and API calls match its stated purpose (cloud video generation); there are minor inconsistencies and privacy/storage questions to clarify before use.
Guidance: This skill appears to do what it says (remote AI video rendering) and only asks for a single service token (NEMO_TOKEN). Before installing: 1) Verify the API domain (mega-api-prod.nemovideo.ai) is legitimate and that you trust the service operator; there is no homepage or publisher info in the registry. 2) Clarify storage behavior: ask where session_id and tokens are saved (the SKILL.md hints at ~/.config/nemovideo/ in frontmatter but the registry metadata omitted config paths). 3) Use an ephemeral/anonymous token if you don't want to store a long-lived credential, and avoid uploading sensitive or private videos unless you trust the service's privacy policy. 4) Confirm retention and deletion policies for uploaded media and rendered outputs. If you can't confirm provenance or storage details, treat tokens as sensitive and limit usage (or decline to install).

Review Dimensions

Purpose & Capability: noteThe skill's name and description (AI video generation from uploaded assets) align with the required credential (NEMO_TOKEN) and the documented APIs. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that the registry metadata did not declare; the source is unknown and there is no homepage, which reduces provenance confidence.
Instruction Scope: noteRuntime instructions stay within the video-generation domain: obtain/use a NEMO_TOKEN (or request an anonymous one), create a session, upload media, stream SSE edits, and poll export status. They do not instruct reading unrelated system files or other env vars. The guidance does instruct saving session_id but does not specify where or how long it is retained. The frontmatter's configPaths hint at possible local config access (not explicitly described in the body), creating an ambiguity.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files—no binaries or archives are downloaded or written to disk by the skill itself, which is the lowest-risk install model.
Credentials: noteOnly one credential (NEMO_TOKEN) is required, which is proportionate for a service that requires authentication. The anonymous-token flow is documented and reasonable for ephemeral usage. Caveat: the frontmatter's config path suggests the skill may read or write local configuration (e.g., to persist tokens/session state), but the registry metadata did not declare this—clarify where tokens/session_id are stored and whether the skill will write to ~/.config/nemovideo/.
Persistence & Privilege: okThe skill is not force-included (always:false) and uses normal autonomous invocation rules. It does ask to create and retain a session_id for job tracking, which is appropriate for long-running cloud render jobs; nothing in the spec attempts to alter other skills or system settings.