Back to skill
Skillv1.0.0
ClawScan security
Text To Voice · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 27, 2026, 5:29 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with a cloud text→voice/video service: it only asks for a single service token (NEMO_TOKEN), calls endpoints on a single domain, and has no install-time code — nothing indicates it is doing something other than what it says.
- Guidance
- This skill appears to do exactly what it claims: it uploads text/files to nemovideo.ai and returns rendered voice/video. Before installing, consider: (1) You will be sending uploaded content (up to 200MB files) to an external service — do you want that data hosted there? (2) The skill requires and will send a bearer token (NEMO_TOKEN) on every request; only provide a token if you trust the service and understand token lifetime/permissions. (3) The skill can generate an anonymous token and persist it for 7 days — if you prefer not to store credentials, run only in ephemeral sessions or clear saved tokens. (4) There is a minor metadata inconsistency (SKILL.md references a config path ~/.config/nemovideo/ even though the registry shows none); if this concerns you, ask the publisher how/where tokens and session state are stored. If you handle sensitive content, verify the vendor's privacy/retention policy and limit the token's scope or use an account dedicated to non-sensitive testing.
Review Dimensions
- Purpose & Capability
- okThe skill is a text-to-voice/video front-end that needs a service token (NEMO_TOKEN) and talks to nemovideo.ai endpoints to upload text/files, create sessions, and request renders. Requesting a service API token and session management is proportionate to the described functionality.
- Instruction Scope
- noteSKILL.md gives explicit API workflow (anonymous token endpoint, session creation, SSE, upload, export) and instructs saving session_id and using Authorization headers. It also instructs reading the skill's YAML frontmatter and detecting install path to set X-Skill-Platform — these are reasonable for attribution but require the agent to read the local SKILL.md and possibly probe common install paths. Nothing in the instructions directs the agent to read unrelated credentials or system files, but the file/path-detection behavior is worth noting.
- Install Mechanism
- okThis skill is instruction-only with no install spec or code files to write to disk; that is the lowest-risk install mechanism. There are no external downloads or package installs requested.
- Credentials
- noteOnly NEMO_TOKEN is declared as required (primaryEnv=NEMO_TOKEN), which matches the service usage. The skill instructs generating an anonymous token via the API when NEMO_TOKEN is absent and to persist/use that token; consider whether you want ephemeral anonymous tokens saved in the agent environment. Also note a small metadata inconsistency: the registry summary stated no required config paths but the SKILL.md frontmatter mentions configPaths (~/.config/nemovideo/).
- Persistence & Privilege
- okThe skill does not request always:true or any elevated persistent platform privileges. It asks to store session_id and a token for API use, which is normal for a cloud service integration. It does not instruct modifying other skills or global agent settings.