Skillv1.0.0

ClawScan security

Free Video Generator Meta Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 5:32 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested artifacts and runtime instructions are consistent with a hosted AI video-generation service: it only needs a service token (NEMO_TOKEN) and makes API calls to the nemovideo.ai backend described in the SKILL.md.
Guidance: This skill appears to do what it says: it calls nemovideo.ai endpoints, uploads files you provide, and requires a NEMO_TOKEN for authorization. Before installing or using it: (1) only provide a NEMO_TOKEN you trust — it grants access to your account/credits; consider using the anonymous-token flow if you don't want to expose a long-lived token, (2) be aware the skill may probe your home directory for install-paths (~/.clawhub or ~/.cursor/skills/) and include that info in request headers (this is a minor privacy leak), (3) only upload files you intend to send to the remote service, and (4) verify the API domain (mega-api-prod.nemovideo.ai) is the service you expect. If you need greater assurance, ask the publisher for a homepage or source repository and review any service terms or privacy policy before supplying real credentials.

Review Dimensions

Purpose & Capability: okName/description claim (generate videos from text or clips) aligns with the declared requirement (NEMO_TOKEN) and the SKILL.md which describes session creation, upload, SSE generation, and export endpoints on mega-api-prod.nemovideo.ai.
Instruction Scope: noteInstructions are focused on authenticating, creating a session, sending SSE messages, uploading files, polling render status, and returning download URLs — all within the stated video generation workflow. Two minor scope notes: (1) the SKILL asks the agent to detect the agent install path (~/.clawhub/ or ~/.cursor/skills/) to populate an X-Skill-Platform header (this requires probing the user home directory and reveals installed agent platform), and (2) uploads reference local file paths (expected for file upload features) so the agent will read files the user provides. Otherwise the instructions stay within the stated purpose.
Install Mechanism: okNo install spec or third-party downloads — instruction-only skill, so nothing is written to disk by an installer. This is the lowest-risk install model.
Credentials: okOnly one credential, NEMO_TOKEN, is required and is the expected authorization for the described API. The metadata also lists a config path (~/.config/nemovideo/) which is consistent with a client app. Note: a valid NEMO_TOKEN likely grants access to the user's account and credits on the service, so it should be treated as sensitive.
Persistence & Privilege: okThe skill is not always-enabled, does not request elevated platform privileges, and does not attempt to modify other skills or system-wide settings. Autonomous invocation (disable-model-invocation: false) is the platform default and is not by itself a concern here.