Skillv1.0.0

ClawScan security

Ai Video Generator Free Link · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 7:19 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match a cloud video-generation workflow, but there are inconsistencies (declared config path in the skill frontmatter vs registry metadata) and a few implementation details that merit caution before installing or giving credentials.
Guidance: This skill looks like a legitimate cloud video-generator that talks to nemovideo.ai, but proceed carefully: 1) the SKILL.md frontmatter references ~/.config/nemovideo/ while the registry did not — ask the publisher if the skill will read or write files there. 2) Only provide a NEMO_TOKEN you control (use an anonymous or limited-scope token if possible); avoid reusing long-lived credentials. 3) Expect media and prompts to be uploaded to mega-api-prod.nemovideo.ai — do not send sensitive content. 4) If you want to install, ask the author to clarify the config path behavior and whether tokens will be persisted locally, and confirm the authoritative homepage/source (the package currently lists no source).

Review Dimensions

Purpose & Capability: noteThe name/description (AI video generation) align with the runtime instructions that call nemovideo.ai APIs to upload media, create sessions, and render videos. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch is unexplained and could indicate the skill expects to read local configuration or tokens that the registry didn't disclose.
Instruction Scope: okThe SKILL.md stays within the stated purpose: it checks for NEMO_TOKEN, optionally obtains an anonymous token from the service, creates a session, uploads files, streams SSE, and starts renders. It does not instruct reading arbitrary system files or unrelated credentials. The required attribution headers and use of SSE and render endpoints are consistent with a cloud-render workflow.
Install Mechanism: okThis is instruction-only (no install spec, no code files), so nothing is written to disk by an installer. That is the lowest install risk.
Credentials: noteThe skill only requires a single credential (NEMO_TOKEN), which is proportionate for a cloud API. It also documents how to obtain an anonymous token automatically if none is present. That behavior is reasonable but worth noting: the agent will make network calls to mint tokens and must include the token in Authorization headers. The frontmatter's mention of a config path (possible local token/config storage) is not reflected in registry requirements — this could cause the skill to read or expect local config without the registry disclosing that.
Persistence & Privilege: okalways is false and the skill contains no install steps that request persistent system changes. It does not ask to modify other skills or global agent settings. The only potential persistence vector is the undocumented config path in SKILL.md where keys or client state might be read/written; the skill does not explicitly instruct writing tokens to disk.