Skillv1.0.0

ClawScan security

Text To Video Free Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 7:47 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (generating videos via the NEMO API) but contains inconsistencies and vague instructions around token/session handling and a mismatched configPath declaration that merit caution.
Guidance: This skill calls an external API (https://mega-api-prod.nemovideo.ai) to create anonymous tokens and to upload/process files. Before installing or using it: 1) Verify you trust nemovideo.ai and are comfortable that files you upload may be sent to that service. 2) Clarify where tokens and session IDs will be stored (in-memory only, in the agent config, or on disk under ~/.config/nemovideo/) and whether they persist beyond the session. 3) If you don't want automatic network activity, set NEMO_TOKEN yourself or avoid automatic anonymous token generation; ask the skill author to require explicit user opt-in before contacting the API. 4) Avoid uploading sensitive or private files until you confirm data retention and privacy policies for the backend. 5) Ask the author to resolve the metadata inconsistency (declared configPaths vs registry listing) and to document exact storage/persistence behavior. Proceed only if you accept these behaviors.

Review Dimensions

Purpose & Capability: noteThe skill name and description describe text→video rendering and the single required credential (NEMO_TOKEN) aligns with calls to a nemo-api. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) even though the registry metadata above reported no required config paths — this mismatch is unexplained.
Instruction Scope: concernRuntime instructions direct the agent to obtain an anonymous token from an external endpoint, create and store session_id values, use SSE endpoints, upload files (multipart @/path or via URLs), and silently handle API responses (explicitly instructs not to show raw responses or token values). The storage and hiding instructions are vague (where/how to persist tokens/session IDs is not specified). The agent is asked to auto-connect on first open; auto-network activity and token generation without explicit user opt-in could be unexpected.
Install Mechanism: okNo install spec or code files are present — this is instruction-only, which minimizes disk-write risk.
Credentials: concernOnly NEMO_TOKEN is required (which fits a third-party API integration). However the SKILL.md metadata's configPaths (~/.config/nemovideo/) suggests access to a local config directory that was not listed in the registry's required config paths — a discrepancy that could imply the skill expects to read/write local credentials or config without declaring it. The instruction to 'keep token hidden' increases the need to know how/where secrets are stored.
Persistence & Privilege: okalways is false and the skill does not request elevated platform-wide privileges. It does ask to 'store' a session_id for subsequent requests (reasonable for a session-based API) but does not request to modify other skills or system-wide settings.