Skillv1.0.0

ClawScan security

Deepseek Text To Video Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 11:05 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions largely match its stated purpose (text→video generation), but there is a small inconsistency about a local config path that you should review before installing or providing long‑lived credentials.
Guidance: This skill appears to do what it says: call a remote 'nemovideo' API to generate videos from text and requires a single API token (NEMO_TOKEN). Before installing: 1) Verify the skill source or publisher if possible — the registry lists no homepage. 2) Prefer using the anonymous token flow (the skill documents how to fetch a short‑lived token) rather than placing a long‑lived or high‑privilege token in NEMO_TOKEN. 3) Be careful about which local files you upload (don’t upload secrets or system files). 4) Ask for clarification about the mismatched config path (~/.config/nemovideo/) in the SKILL.md frontmatter — confirm whether the agent will read that directory and what it stores there. If you cannot verify source or storage behavior, limit exposure by using ephemeral tokens and avoid uploading sensitive files.

Review Dimensions

Purpose & Capability: okName/description match the actions described in SKILL.md: creating videos from text via a remote API. The single declared credential (NEMO_TOKEN) aligns with an API token for the remote service and is appropriate for this purpose.
Instruction Scope: noteSKILL.md instructs the agent to create/refresh a token (anonymous-token endpoint), create a session, send SSE messages, upload user files (multipart or URL), poll render status, and return download URLs. Those actions are consistent with a cloud render workflow; the skill asks the agent to save session_id and the token (in memory/state) and to avoid printing raw tokens. It will also read user-supplied file paths for upload — verify that files uploaded are only those you intend to share.
Install Mechanism: okInstruction-only skill with no install spec and no code files. Nothing is written to disk by an installer; runtime network calls are the main surface.
Credentials: concernThe declared required env var (NEMO_TOKEN) is proportional. However, the SKILL.md frontmatter metadata also lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this discrepancy is a concern because a config path could expose local credentials or files. The skill does not request unrelated credentials, which is good.
Persistence & Privilege: okalways is false and the skill does not request elevated or cross-skill modifications. The agent may store session IDs/tokens for runtime use; confirm how/where the agent stores them if you need persistence guarantees or deletion.