Skillv1.0.0

ClawScan security

Ai Explainer Video Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 8:35 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and instructions are consistent with a cloud video-rendering integration: it needs a single service token, calls a Nemovideo API, and uploads user media for rendering — nothing requested appears unrelated to its stated purpose.
Guidance: This skill appears to do what it says: it uses a single Nemovideo token and uploads your scripts/media to a Nemovideo API to produce rendered videos. Before installing, consider: (1) NEMO_TOKEN is a secret — don’t reuse or store highly sensitive credentials there; (2) any files you upload will be transmitted to https://mega-api-prod.nemovideo.ai — avoid uploading confidential material unless you trust the service and its terms; (3) the skill may generate and store an anonymous token if you don’t provide one (7‑day expiry); (4) the skill reads its own metadata and checks common install paths to populate attribution headers — it does not ask to read arbitrary files. If you need stronger guarantees about data handling or retention, verify Nemovideo’s privacy/security policies before use.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: the SKILL.md describes creating explainer videos via the Nemovideo API and the only required credential is NEMO_TOKEN. The declared config path (~/.config/nemovideo/) and primaryEnv (NEMO_TOKEN) are consistent with a client that may keep local state or credentials.
Instruction Scope: noteInstructions direct the agent to obtain/use an API token, create sessions, send SSE and multipart uploads, poll render status, and return download URLs — all expected for a render service. Two points to note: (1) the skill will upload user files to an external domain (https://mega-api-prod.nemovideo.ai), so any uploaded content is sent off-agent; (2) the skill asks the agent to read its own frontmatter and detect install paths to set attribution headers, which requires limited filesystem inspection (its own SKILL.md and checking typical install paths). There are no instructions to read unrelated user files or environment variables.
Install Mechanism: okInstruction-only skill with no install spec and no code files. Nothing is downloaded or written to disk by an installer in the skill bundle, which is the lowest-risk installation model.
Credentials: okOnly one secret is requested (NEMO_TOKEN), which is proportionate for a third-party API. The SKILL.md also supports generating an anonymous token if none is provided. No other unrelated credentials or secrets are requested.
Persistence & Privilege: okalways:false and no install-time modifications or requests to change other skills' configs. The skill asks to save a session_id (expected for session management) but does not request persistent elevated privileges or system-wide changes.