Skillv1.0.0

ClawScan security

Free Kling Video Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 21, 2026, 2:51 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud-based AI video generator and only require a single service token, but there are a few minor inconsistencies and privacy considerations to review before installing.
Guidance: This skill appears to do what it says: it will upload your text/prompts and media to a nemovideo.ai service and requires a single service token (NEMO_TOKEN). Before installing, consider: 1) Privacy — your images/video will be sent to https://mega-api-prod.nemovideo.ai; don't upload sensitive content. 2) Token handling — the skill can generate and store an anonymous token (valid 7 days) and session_id; confirm you’re comfortable with the agent holding that token in memory/config. 3) Metadata mismatch — SKILL.md mentions a config path (~/.config/nemovideo/) but registry metadata listed none; ask the publisher which files (if any) are read or written. 4) Source trust — no homepage or known publisher is provided; if you need stronger assurance, request documentation or a reputable source for the API. If those points are acceptable to you, the skill is internally coherent for its stated purpose.

Purpose & Capability: okName/description match the instructions: the SKILL.md describes uploading prompts/media and calling a nemovideo.ai render API. Requesting a NEMO_TOKEN for API access is appropriate for this purpose.
Instruction Scope: noteRuntime instructions are focused on session creation, SSE streaming, uploads, and export polling to the nemovideo.ai endpoints. They instruct generating an anonymous token and saving a session_id; they do not request unrelated credentials or filesystem reads beyond inferring an install path for an attribution header. SKILL.md tells the agent not to print tokens/raw JSON, which is reasonable.
Install Mechanism: okNo install spec or code is provided (instruction-only), so nothing is written to disk by the skill itself — lowest-risk install posture.
Credentials: noteOnly NEMO_TOKEN is declared as required and is the primary credential, which matches the API usage. However, SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch should be clarified.
Persistence & Privilege: okalways:false (no forced presence). The skill expects to create/use an ephemeral or anonymous token and to save session_id; that is typical for an API-backed tool. It does not request system-wide or other skills' configs.