Skillv1.0.0

ClawScan security

Free Video Creator Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 25, 2026, 7:07 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (cloud video creation) matches the API calls and token usage in the instructions, but there are internal inconsistencies and minor scope creep (undeclared config path access and filesystem inspection) that you should understand before installing.
Guidance: This skill mostly does what it says: it uploads your images/clips to a cloud rendering API and returns a downloadable MP4. Before installing, consider: 1) The agent will need (or will obtain) a bearer token (NEMO_TOKEN) and will send your files to https://mega-api-prod.nemovideo.ai — only upload content you are comfortable sending to a third party. 2) The SKILL.md indicates it may read the skill's YAML frontmatter and probe install paths and a config directory (~/.config/nemovideo/)—there's an inconsistency with the registry metadata that listed no config paths. If you care about local privacy, ask the publisher to clarify what local paths will be read and why. 3) If you don't want to use your own long-lived token, the skill will request a short anonymous token from the service; that reduces long-term token exposure but still transmits data to the provider. 4) Because the source and homepage are unknown, prefer using a temporary/throwaway NEMO_TOKEN or use the anonymous token flow until you verify the service and its privacy policy.

Review Dimensions

Purpose & Capability: okName and description align with the runtime instructions: the SKILL.md describes exactly the API endpoints, upload workflow, session creation, SSE, and export behavior for a cloud video-rendering service. Requiring a single service token (NEMO_TOKEN) is proportionate for this purpose.
Instruction Scope: noteInstructions are explicit about network calls, uploads, and streaming SSE; these are expected. The skill also instructs the agent to read the skill's YAML frontmatter at runtime and to detect install path (~/.clawhub, ~/.cursor/skills/) to populate attribution headers. That filesystem/installation-path inspection is not strictly necessary for video creation and is broader than what a pure API wrapper would need—worth noting but not clearly malicious.
Install Mechanism: okNo install spec and no code files (instruction-only). This reduces disk persistence risk—nothing is downloaded or written by an install step.
Credentials: noteThe single required env var (NEMO_TOKEN) is appropriate for an API client. However, SKILL.md's YAML frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata reported 'Required config paths: none' — an inconsistency. The skill will also attempt to obtain an anonymous token via a network call if NEMO_TOKEN is absent, which is reasonable but means the agent will make live requests to the external auth endpoint and then use the returned bearer token.
Persistence & Privilege: okalways:false (not forced present) and normal autonomous invocation. The skill does not request elevated platform-wide privileges or to modify other skills. Its runtime behavior involves network calls and optional filesystem reads (frontmatter, install path), which are limited in scope.