Skillv1.0.0

ClawScan security

Text To Video Gratis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 21, 2026, 11:40 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested environment variable, API endpoints, and runtime instructions align with a text→video service; there are no extra credentials, installs, or suspicious instructions beyond contacting the external nemo API and uploading user-provided content.
Guidance: This skill talks to an external API at mega-api-prod.nemovideo.ai and will upload any files you give it; if you don't already have a NEMO_TOKEN it will obtain an anonymous token for you. Before installing: (1) Confirm you trust the nemovideo.ai service and its privacy/TOS — do not upload sensitive or private data unless you're comfortable with the third-party provider. (2) Prefer using an anonymous/limited token rather than a long-lived account credential. (3) Note there is no installed code to audit (instruction-only); if provenance matters, verify the service owner and homepage or avoid installing. (4) If you require stronger assurance, ask the publisher for a homepage, privacy policy, or hosted docs and retest once available.
Findings: [no_code_files_or_regex_hits] expected: The repository is instruction-only (SKILL.md) so the regex-based scanner had nothing to analyze. Absence of findings is expected but means there is no shipped code to inspect.

Purpose & Capability: okName/description (text-to-video) match the declared requirements: a single service token (NEMO_TOKEN) and an optional config path for nemo. All declared endpoints and headers are consistent with operating a remote video-rendering API.
Instruction Scope: okSKILL.md instructs only on authenticating (use NEMO_TOKEN or obtain an anonymous token), creating sessions, uploading files, using SSE for generation, polling exports, and handling credits/errors. It does not direct the agent to read unrelated files or other environment variables. It does request generating a UUID client ID and making POST/GET requests to the service, which is expected for this functionality.
Install Mechanism: okNo install spec or code files are present — the skill is instruction-only, so nothing is downloaded or written to disk by an installer.
Credentials: okOnly a single credential (NEMO_TOKEN) is required and is appropriate for accessing the external rendering API. The declared config path (~/.config/nemovideo/) is reasonable for storing session state or tokens. No unrelated secrets or system credentials are requested.
Persistence & Privilege: okSkill does not request always:true and does not attempt to modify other skills or global agent settings. It may be invoked autonomously as normal for skills, which is expected behavior.