Skillv1.0.0

ClawScan security

Free Video Generation Ai Model · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 3:10 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it claims (upload prompts/files and call a remote video-rendering API), but there are metadata inconsistencies, missing provenance, and ambiguous handling/storage of tokens/session data that warrant caution before installing or using with sensitive content.
Guidance: This skill will upload your prompts and media to mega-api-prod.nemovideo.ai and may create an anonymous API token for you; there is no homepage or source code to verify. Before installing: confirm you trust that external service and avoid uploading sensitive or proprietary content. Ask the publisher for a privacy/security policy or source repository. Clarify where session tokens are stored and whether data is retained/used for model training. If you must test it, run in a restricted/sandboxed environment or with non-sensitive sample media. The metadata mismatches (configPaths present in SKILL.md frontmatter but not in registry metadata, and the described auto-token flow vs. declared required env var) should be resolved by the publisher — treat those inconsistencies as reasons for extra caution.

Review Dimensions

Purpose & Capability: noteThe skill's declared purpose (text→video via a remote GPU service) matches the runtime instructions (upload files, POST to nemovideo endpoints, poll render status). However there is no homepage/source repo and the registry metadata and the SKILL.md frontmatter disagree about config paths; absence of provenance reduces auditability.
Instruction Scope: concernRuntime instructions will automatically obtain an anonymous token (if NEMO_TOKEN not set), create a session, upload user media (up to 500MB) and send prompts to https://mega-api-prod.nemovideo.ai. The skill tells the agent to store session_id and use tokens but gives no secure-storage guidance. It does not request unrelated system files, but uploading user files and prompts to an external service is intrinsic and should be expected and explicitly consented to by users.
Install Mechanism: okInstruction-only skill with no install steps and no code files — lowest install risk. Nothing will be written by a packaged installer according to the provided metadata.
Credentials: noteThe only credential referenced is NEMO_TOKEN (declared primaryEnv). SKILL.md, however, instructs the agent to auto-request an anonymous token when NEMO_TOKEN is absent, so requiring NEMO_TOKEN upstream is inconsistent. The SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) while the registry metadata said none — this mismatch should be clarified.
Persistence & Privilege: okThe skill does not request 'always: true' and allows normal agent invocation rules. It asks the agent to persist session_id/token for the session lifecycle, which is expected for a remote service but should be stored securely by the platform.