Ai Vue Component Generator

The skill is named and marketed as an 'AI Vue Component Generator' (scaffolding Vue components), but the SKILL.md repeatedly describes a cloud render pipeline that produces 1080p MP4s, accepts video uploads, and exposes video export APIs. The inputs/outputs described (video formats, render jobs, Export producing MP4) do not match the stated purpose of producing component source files. This is a core mismatch: either the skill description is wrong or the instructions are doing something else (video rendering) instead of returning Vue component files.

Instructions direct the agent to check NEMO_TOKEN and, if absent, obtain an anonymous token via a network POST, create a session, upload files (including multipart file uploads from local paths), open SSE streams, poll render endpoints, and detect install path (~/.clawhub, ~/.cursor/skills/) to set attribution headers. The install-path detection and local-file upload behavior mean the agent may access local filesystem paths and upload arbitrary files to the remote service — which is out of scope for a simple 'component scaffolding' helper and could be used to exfiltrate local data if misused. The instructions also reference a metadata configPaths (~/.config/nemovideo/) in the frontmatter that is not reflected in the registry metadata — another inconsistency.

This is an instruction-only skill with no install spec and no code files, so nothing gets written to disk during install. That is the lowest-risk install mechanism.

The skill requires one environment variable, NEMO_TOKEN, which is proportionate if the skill genuinely integrates with the nemo video API. However, frontmatter metadata also lists a config path (~/.config/nemovideo/) that was not declared in the registry metadata — a mismatch. More importantly, the instructions allow automatic anonymous-token acquisition when NEMO_TOKEN is absent and then use that token for all requests; this means the skill can perform network operations and upload local files without an explicit user-provided credential. Requesting NEMO_TOKEN is plausible, but the combination of local-file upload and optional anonymous token creation increases risk of unintended data transmission.

always is false and the skill does not request to persist or modify other skills or system-wide settings. Autonomy (model invocation) is allowed by default but not combined with high privileges in this skill's manifest.