Skillv1.0.0

ClawScan security

Text To Video Kostenlos · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 25, 2026, 8:15 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud text→video service; nothing obviously unrelated or excessive is requested, but there are a few small metadata/instruction mismatches to be aware of.
Guidance: This skill behaves like a normal cloud text→video integration: it will make network calls to nemovideo.ai and needs a NEMO_TOKEN (it can also request a short-lived anonymous token if you don't provide one). Things to consider before installing: (1) the agent may check your home directories (~/.clawhub or ~/.cursor/skills) to set an attribution header — if you don’t want the agent to inspect those paths, do not enable the skill; (2) supplying your own NEMO_TOKEN gives the skill direct access to that account — only provide a token you trust the service with; (3) if you are concerned about sending data to an unknown backend, avoid installing until you can verify the service (homepage, privacy policy, or official repository). The metadata vs. instructions mismatch around whether NEMO_TOKEN is strictly required is benign but worth noting.

Review Dimensions

Purpose & Capability: okName and description match the operations described in SKILL.md: calling a nemo-video cloud API to create/upload/render videos. Requesting a single API token (NEMO_TOKEN) is proportionate to that purpose.
Instruction Scope: noteInstructions tell the agent to call nemo-api endpoints (auth, session creation, SSE /render/upload endpoints) and to manage session_ids and streamed responses. This is in-scope. Two small scope notes: (1) the SKILL.md asks the agent to 'detect' an install path to set X-Skill-Platform (this implies checking filesystem paths like ~/.clawhub/ or ~/.cursor/skills/), and (2) if NEMO_TOKEN is missing the skill will request an anonymous token via an API call. Both behaviors are explainable for telemetry/attribution and anonymous usage, but they do require filesystem checks and network calls beyond only submitting text-to-video payloads.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest-risk install posture; nothing is downloaded or written by an installer.
Credentials: noteThe only declared credential is NEMO_TOKEN which is appropriate. There is a small inconsistency: registry metadata lists NEMO_TOKEN as required, but the SKILL.md supports generating an anonymous NEMO_TOKEN if none is present (via a POST to /api/auth/anonymous-token). Functionally this reduces required privilege, but the declared 'required env var' doesn't reflect that fallback behavior.
Persistence & Privilege: okalways:false and normal autonomous invocation are set. The skill stores and reuses a session_id for the session life-cycle, which is expected. It does not request persistent system-wide privileges or other skills' configs.