Skillv1.0.0

ClawScan security

Free Text To Video Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 13, 2026, 9:46 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (convert text to downloadable MP4 via a cloud service) generally matches its runtime instructions, but there are inconsistencies about config-path access and it will upload user files and request/issue tokens to an external API with no provenance — verify the service and privacy before using.
Guidance: This skill will send your text and any uploaded files (up to 500MB) to an external service at mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (or it will automatically obtain an anonymous token). Before installing or using it: (1) confirm the service owner and review a privacy policy or terms — there is no homepage or source provided; (2) avoid uploading sensitive or confidential text/files unless you trust the endpoint; (3) ask the author to explain why a config path (~/.config/nemovideo/) appears in the skill's frontmatter but is not declared in registry metadata and whether the skill will read local files; (4) treat the generated anonymous token like a credential — it may grant account-level access for 7 days; (5) if you need stronger assurance, request the skill's source code or an official service URL and privacy/retention details. Providing those items would increase confidence and could move this assessment from 'suspicious' toward 'benign.'

Review Dimensions

Purpose & Capability: noteName/description (text-to-video) align with the actions in SKILL.md: it calls a cloud render API, accepts uploads, and returns MP4 downloads. Requesting a NEMO_TOKEN as the primary credential is proportionate for a cloud service. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch is unexplained and worth clarifying.
Instruction Scope: concernThe instructions perform network calls to an external domain (mega-api-prod.nemovideo.ai) for auth, session creation, SSE chat, uploads, and export polling — that is expected for a cloud video service. Concerns: (1) the skill will upload user-provided files (up to 500MB) to that external backend (privacy/PII risk); (2) it will automatically create an anonymous token if NEMO_TOKEN is not present by POSTing to the auth endpoint and storing/using the returned token; (3) it inspects install paths to set X-Skill-Platform and references a config path in its YAML — this implies reading filesystem locations beyond ephemeral runtime state. These behaviors are within what the service needs to operate but expand the surface for data exfiltration and warrant scrutiny.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This minimizes on-disk install risk; nothing is downloaded or executed locally by the skill itself.
Credentials: noteThe only declared required environment variable is NEMO_TOKEN, which is appropriate for a service API. The SKILL.md also documents generating an anonymous token when NEMO_TOKEN is absent, which is plausible but effectively means the skill will obtain and hold credentials on the user's behalf. The frontmatter lists a config path (~/.config/nemovideo/) that was not declared in the registry metadata — reading that path could expose local config or credentials and is not justified by the registry's declared requirements.
Persistence & Privilege: okalways is false and the skill is user-invocable only. It does not request persistent/always-on privileges. Nothing in SKILL.md attempts to change other skills or system-wide settings.