Skillv1.0.0

ClawScan security

Simple Video Generator Cartoon · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 20, 2026, 1:53 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, required credential, and runtime steps are coherent with a cloud video-rendering integration, but some minor inconsistencies and unknown provenance merit caution before installation.
Guidance: This skill appears to do what it says (remote cartoon-video generation) and only asks for one credential (NEMO_TOKEN). Before installing: 1) Note the skill has no listed homepage or source—verify the service domain (mega-api-prod.nemovideo.ai) and the vendor independently if possible. 2) Prefer generating an anonymous/ephemeral token (the SKILL.md describes an anonymous-token flow) instead of storing a long-lived NEMO_TOKEN in your environment. 3) Ask the author to clarify the config-path mention (~/.config/nemovideo/) and the 'auto-detect install path' behavior so you know whether the agent will read local filesystem paths. 4) Treat uploaded media as sent to a third-party cloud GPU service—don’t upload sensitive content without checking the provider’s privacy/retention policy. 5) If you must set NEMO_TOKEN, restrict its scope/permissions and be prepared to revoke it after testing.

Review Dimensions

Purpose & Capability: noteName/description and required credential (NEMO_TOKEN) align with a cloud video-generation service. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch should be clarified. The skill's source/homepage is also missing, reducing traceability.
Instruction Scope: noteRuntime instructions are focused on contacting the nemovideo API (auth, session, SSE, uploads, render) and handling returned data; they do not ask to read unrelated system files. One instruction asks to 'auto-detect' X-Skill-Platform from an install path, which could require probing the agent's install or filesystem paths — that is outside pure network I/O and should be clarified. The skill also instructs saving session_id/token state but doesn't define storage boundaries.
Install Mechanism: okInstruction-only skill with no install steps or downloaded code, so nothing is written to disk by an installer. This is the lowest-risk install mechanism.
Credentials: noteThe single required env var (NEMO_TOKEN) is proportional for a service needing bearer auth. Still, the frontmatter's config path (~/.config/nemovideo/) implies potential local config access; registry metadata omitted config paths, so the reason for that path should be explained. Users should treat NEMO_TOKEN as sensitive (gives access/credits).
Persistence & Privilege: okThe skill is not always-enabled, does not request elevated platform privileges, and is instruction-only. Autonomous invocation is allowed (platform default) but not combined with additional privileges here.