Skillv1.0.0

ClawScan security

Video Generator Image Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 4:26 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with a cloud video-generation service: it needs a NEMO_TOKEN and calls nemo/video API endpoints to upload images, run renders, and return download URLs; no unrelated credentials or installers are requested.
Guidance: This skill appears to do what it says: it uses a NEMO_TOKEN to call a remote Nemo video API and uploads the images you provide to produce rendered MP4s. Before installing: 1) Understand that your images will be uploaded to an external service (privacy risk for sensitive images). 2) Confirm you are comfortable giving the skill access to a NEMO_TOKEN (or allowing it to fetch an anonymous token). 3) Ask the publisher to clarify the config-path mention (~/.config/nemovideo/) vs. registry metadata — ensure the skill won't read unexpected local files. 4) Because this is instruction-only there is no code to audit; if you need stronger guarantees, request an official homepage, privacy policy, or publisher identity before use. Finally, avoid uploading sensitive personal data and prefer ephemeral tokens with minimal scope where possible.

Review Dimensions

Purpose & Capability: noteThe name/description match the actions in SKILL.md: session creation, upload, SSE-based generation, and export endpoints at mega-api-prod.nemovideo.ai. The single required env var (NEMO_TOKEN) is appropriate. Minor inconsistency: the registry summary said 'Required config paths: none' while the skill frontmatter declares a config path (~/.config/nemovideo/). This is likely metadata drift but should be checked.
Instruction Scope: okSKILL.md instructs the agent to read NEMO_TOKEN (or fetch an anonymous token), create sessions, upload files (multipart or by URL), stream SSE messages, poll render status, and return download URLs. Those instructions are limited to the video service and user-provided files; there are no instructions to read unrelated system files or other environment variables.
Install Mechanism: okInstruction-only skill with no install spec and no code files — the lowest-risk install model. Nothing is downloaded or written by an installer.
Credentials: noteOnly NEMO_TOKEN is required (declared as primaryEnv), which is proportional to calling the remote API. The frontmatter also references a config path (~/.config/nemovideo/) that could imply reading local config; this is not reflected in the registry summary and should be clarified. No other credentials or broad system access are requested.
Persistence & Privilege: okalways:false (no forced permanent inclusion). The skill may be invoked autonomously (disable-model-invocation:false) which is normal for skills; it does not request elevated system privileges or modify other skills' configs.