Skillv1.0.0

ClawScan security

Best Text To Video Ai Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 5:06 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested credential and API calls line up with its stated purpose (cloud video rendering) but there are a few small inconsistencies and privacy implications you should be aware of before use.
Guidance: This skill appears to do what it claims (call a cloud backend to generate videos). Before installing or using it: 1) Confirm you trust the external domain (mega-api-prod.nemovideo.ai) because your uploaded files and prompts will be sent there and may be stored/processed. 2) Be aware the skill will either use a provided NEMO_TOKEN or automatically request an anonymous token from that backend — anonymous tokens grant temporary access and are minted by the service. 3) The frontmatter mentions a config path and detects install paths for attribution headers; if you have sensitive files or secrets in local config locations, avoid uploading them. 4) If you need a privacy policy or source code review, request the vendor/homepage (none provided). If any of these are unacceptable, do not enable the skill.

Review Dimensions

Purpose & Capability: okName and description describe a cloud text->video service and the SKILL.md instructs API calls to a video-rendering backend and an expected NEMO_TOKEN — this is coherent. Minor inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) in its metadata but the registry's top-level requirements declared no config paths.
Instruction Scope: noteRuntime instructions stay within the video-generation workflow (token check/anonymous token fetch, create session, SSE for generation, upload/export endpoints). The skill will call an external API to mint an anonymous NEMO_TOKEN if none is provided and will upload user files/URLs to the backend — this is expected for this functionality but is important privacy behavior to note.
Install Mechanism: okInstruction-only skill with no install spec or downloaded code; nothing is written to disk by an installer. Low install risk.
Credentials: noteOnly one credential (NEMO_TOKEN) is required, which matches service authentication. The SKILL.md will also attempt to obtain an anonymous token via the backend if NEMO_TOKEN is missing. The frontmatter references a config path (~/.config/nemovideo/) and install-path detection for header attribution — those imply potential reads of local paths/metadata, which are plausible but were not declared in the registry top-level requirements.
Persistence & Privilege: okNo always:true, no install-time persistent privileges requested. The skill runs via API calls and sessions; standard autonomous invocation is allowed but not excessive here.