Back to skill
Skillv1.0.0
ClawScan security
Text To Video H2h · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 6:00 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it says (connect to a nemo video API to turn text into talking‑head videos) and only requests a single service token; there are a few small metadata inconsistencies and a reliance on an external API to mint anonymous tokens that you should be aware of.
- Guidance
- This skill is internally consistent with its purpose: it talks to the nemo video backend and asks only for NEMO_TOKEN (and can obtain an anonymous short‑lived token if you don't provide one). Before installing, consider: 1) there is no homepage or vendor listed—verify you trust mega-api-prod.nemovideo.ai and that you are comfortable uploading content to that service; 2) the skill will make network calls to mint tokens and to upload/download media — do not provide other unrelated credentials; 3) the SKILL.md frontmatter mentions a local config path (~/.config/nemovideo/) even though registry metadata did not—if you are concerned, check whether the agent will write tokens or files to disk and where; 4) if you have a paid or enterprise account, prefer supplying your own NEMO_TOKEN rather than relying on the anonymous token fallback; and 5) review your data/ privacy policy for the provider before sending sensitive scripts or media. If you want higher assurance, ask for the skill's source or an audited publisher and for details about where (and how long) uploaded media and tokens are stored.
Review Dimensions
- Purpose & Capability
- okName and description match the runtime instructions: the skill talks to mega-api-prod.nemovideo.ai to create sessions, upload scripts, render videos and return a download URL. Requesting NEMO_TOKEN (the service token) is proportionate to the stated purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to: check for NEMO_TOKEN, or else POST to the service's /api/auth/anonymous-token endpoint to acquire a short‑lived anonymous token; create a session, send SSE messages, upload files (multipart or URL), poll render status, and download results. Those actions are within scope for a cloud render client, but they do involve network calls to an external endpoint and processing user-uploaded files. The instructions also say not to expose tokens or raw API output, which is good. One minor note: the SKILL frontmatter includes a config path (~/.config/nemovideo/) even though the registry metadata listed none—this is inconsistent and may imply optional local config usage.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an installer. Lowest-risk install mechanism.
- Credentials
- okOnly a single service credential (NEMO_TOKEN) is declared as required and used. The skill also implements a fallback to mint an anonymous token via the provider API if no token is present; that behavior is consistent with a service client but means the skill can obtain and use short‑lived credentials on behalf of the agent.
- Persistence & Privilege
- okalways is false and the skill does not request elevated platform privileges. The skill describes creating and using a session token for the provider but does not attempt to modify other skills or system-wide settings in the provided instructions.