Skillv1.0.0

ClawScan security

Best Free Video Generation Model · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 16, 2026, 8:30 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud video-generation integration: it needs a NEMO_TOKEN and calls an external nemo video API to create sessions, upload media, and export videos.
Guidance: This skill appears internally consistent for a cloud video-generation connector, but you should verify the external service before using it. Consider: (1) The skill will send uploaded files, prompt text, and any NEMO_TOKEN to https://mega-api-prod.nemovideo.ai — don't upload sensitive or private media. (2) There is no homepage or published source linked in the metadata; if you need provenance, ask the publisher for documentation or source code. (3) If you already have a NEMO_TOKEN, provide it only if you trust the service; otherwise the skill will obtain an anonymous token automatically. (4) If you want to limit risk, avoid providing unrelated credentials and avoid letting the agent read arbitrary local file paths unless you explicitly upload a file. If you want higher assurance, request the skill's source or an official service homepage before installing.

Purpose & Capability: okName/description match the declared requirements: the skill calls a remote video generation API and only requests NEMO_TOKEN (plus an optional config path). No unrelated credentials, binaries, or platform-level access are requested.
Instruction Scope: noteSKILL.md instructs the agent to use NEMO_TOKEN if present, or obtain an anonymous starter token by POSTing to https://mega-api-prod.nemovideo.ai. It also describes uploading files (multipart '@/path' or via URLs), SSE streams, polling render status, and required attribution headers. These actions are expected for a remote video service, but the instructions will transmit user-provided files and any token used to the external API and are somewhat permissive about fetching files/URLs and auto-creating tokens.
Install Mechanism: okInstruction-only skill with no install spec or code files; nothing is written to disk by an installer. This is the lowest install risk.
Credentials: noteOnly NEMO_TOKEN is required (declared as primary). The frontmatter also lists a config path (~/.config/nemovideo/) which is plausible for cached credentials. Creating an anonymous token when none is present is functional but means the skill will reach out to an external endpoint to obtain credentials on the fly.
Persistence & Privilege: okalways:false and no install actions or modifications to other skills or system state are declared. The skill does not request persistent platform privileges.