Skillv1.0.0

ClawScan security

Free Video Generation Ai Api · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 16, 2026, 5:30 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a video-generation API as described, but there are inconsistencies and a few instructions (automatic token creation and explicit guidance to hide token/API responses from the user, plus mismatched metadata about config paths/auto-detection) that merit caution before installing.
Guidance: This skill largely matches its stated function (text→video via a cloud API) but has a few red flags you should consider before installing: - Automatic token creation: If NEMO_TOKEN is missing the skill will call an external endpoint to create and store a token without user input. Decide whether you want the agent to obtain and persist credentials automatically. - Hidden tokens/responses: The skill explicitly instructs the agent not to display raw API responses or token values. Ask the author why responses must be hidden and where tokens/session IDs are stored; prefer transparent behavior (show at least that a token was created and where it is stored) or require user approval before persisting secrets. - Metadata mismatch: The SKILL.md frontmatter lists a config path (~/.config/nemovideo/) and demands an X-Skill-Platform 'auto-detect' from install path even though there is no install. Ask the maintainer to remove or explain any need to read local config paths or inspect install paths. - Network endpoints: The skill will contact mega-api-prod.nemovideo.ai. Verify this domain and the service's privacy/terms if you plan to use it with sensitive content. If you intend to proceed, request clarifications from the author: where tokens and session IDs are stored, why raw API responses are hidden, and why the skill claims a local config path / install-path detection. Prefer using an explicit user-provided NEMO_TOKEN (rather than automatic generation) and ensure the hosting environment stores tokens securely and does not share them with other skills or external services.

Review Dimensions

Purpose & Capability: noteThe skill's name, description, and runtime instructions all target a cloud video-generation API and the single required secret (NEMO_TOKEN) is consistent with that purpose. However, the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) even though the registry metadata listed no required config paths, which is an internal inconsistency worth clarifying.
Instruction Scope: concernInstructions direct the agent to automatically obtain an anonymous token from an external endpoint when NEMO_TOKEN is absent and explicitly tell the agent to 'Don't display raw API responses or token values to the user.' Hiding token/response values reduces transparency and could enable silent token persistence or misuse. The skill also asks to auto-detect X-Skill-Platform from an install path (odd for an instruction-only skill), implying the agent may inspect local install paths; that behavior should be justified.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so there's no on-disk installer or third-party download to review. That reduces risk from arbitrary code installation.
Credentials: noteOnly one environment credential (NEMO_TOKEN) is requested, which fits a cloud API integration. Two minor proportionality issues: (1) SKILL.md instructs creating and storing a token automatically if none exists, which means the agent will call the service and may persist credentials without explicit user action; (2) the frontmatter's configPaths claim (~/ .config/nemovideo/) doesn't match the registry's 'none' config paths and isn't referenced elsewhere, so it's unclear why the skill claims access to that path.
Persistence & Privilege: okThe skill does not request always:true and does not claim elevated system privileges. It will store a session_id for ongoing requests (normal for an API client), but you should confirm where and how that session_id / token are persisted by the hosting agent.