Skillv1.0.0

ClawScan security

Free Video Generation Professional · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 1:00 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video generation) mostly matches its instructions and required credential (NEMO_TOKEN), but there are small mismatches about file-system/config access that you should review before installing.
Guidance: This skill appears to do what it says: interact with a cloud render API using a single API token (NEMO_TOKEN), upload video files, and return download URLs. Things to consider before installing: - Provide only a dedicated or limited-scope NEMO_TOKEN (or use the anonymous token flow) rather than a high-privilege secret you reuse elsewhere. - The SKILL.md instructs the agent to read local paths (its own frontmatter and to detect install path) and to save session_id. Confirm you are comfortable with the agent reading those paths; if you prefer, run the skill in a restricted environment where it can only access files you explicitly provide. - There is a minor inconsistency: the registry summary listed no required config paths, while the SKILL.md metadata references ~/.config/nemovideo/. Ask the skill author to clarify what local files the skill will read or write and why. - Because this is instruction-only, behavior depends entirely on how the agent implements those instructions; consider reviewing actual runtime logs or a network capture the first time it runs to confirm it only talks to the documented API endpoints (https://mega-api-prod.nemovideo.ai) and does not exfiltrate data elsewhere. If you need higher assurance, request the source or a homepage for verification before use.

Review Dimensions

Purpose & Capability: noteThe skill claims to call a nemo video rendering API and only requests a single API credential (NEMO_TOKEN), which is proportionate for a cloud video service. Requiring an API token to create sessions, upload clips, and request renders is expected for this functionality.
Instruction Scope: noteThe SKILL.md explicitly instructs the agent to obtain an anonymous token (if none is provided), create sessions, upload files, start SSE-based generation, poll render jobs, and return download URLs — all consistent with a video-generation integration. It also instructs the agent to read the skill's own YAML frontmatter and to detect the agent install path (e.g., ~/.clawhub/ or ~/.cursor/skills/) to populate X-Skill-Platform headers; those steps require reading local paths and are not fully declared in the registry metadata. Uploading user files (multipart @/path) is expected but means the agent will access user-provided file paths.
Install Mechanism: okNo install spec and no code files are provided (instruction-only). This is low-risk from a code-install perspective because nothing is downloaded or executed by the installer.
Credentials: noteThe single required environment variable (NEMO_TOKEN) is appropriate for an API-integrated video service. However, the SKILL.md metadata also references a config path (~/.config/nemovideo/) and runtime instructions that read the agent install path — these filesystem reads were not declared in the registry summary and represent a minor mismatch between declared and actual resource access.
Persistence & Privilege: okThe skill is not marked always:true and uses normal session tokens. It asks the agent to store session_id and to reuse a provided NEMO_TOKEN, which is standard for session-based APIs. The skill does not request elevated or cross-skill configuration changes.