Skillv1.0.0

ClawScan security

Video Generator Ai Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 8:31 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested credentials and runtime actions align with its stated purpose (cloud video generation), with only minor mismatches in metadata and some vague storage instructions that merit attention.
Guidance: This skill appears to do what it says: it will send text/images to an external rendering service (mega-api-prod.nemovideo.ai) and requires (or will obtain) a NEMO_TOKEN to operate. Before installing, consider: (1) privacy — any media you upload is sent to that external API; avoid uploading secrets or sensitive images; (2) token handling — the skill will generate or use a token and store a session_id but doesn't specify where/for how long; if you prefer control, supply your own NEMO_TOKEN and revoke it when done; (3) trust the endpoint — confirm you trust the nemovideo domain for processing your content. The metadata mismatch (config path referenced in frontmatter but not declared) and the vague storage instructions are worth asking the author to clarify, but do not by themselves indicate malicious behavior.

Review Dimensions

Purpose & Capability: okName/description (AI video generation) matches the declared requirement (NEMO_TOKEN) and the described API endpoints for uploading, rendering, and exporting videos. No unrelated cloud providers or credentials are requested.
Instruction Scope: noteRuntime instructions describe creating/using a session token, uploading user-provided files, streaming SSE messages, polling render status, and returning download URLs — all within the video-generation domain. The doc instructs the agent to obtain an anonymous NEMO_TOKEN if none is present and to 'store the returned session_id' but does not specify persistence location or lifecycle; it also instructs hiding tokens from user display. These behaviors are plausible for the purpose but ambiguous in implementation (where/how tokens/session IDs are stored, for how long).
Install Mechanism: okInstruction-only skill with no install spec or downloadable artifacts. Lowest-risk install posture.
Credentials: noteOnly one credential is declared (NEMO_TOKEN), which is appropriate for an API-backed video service. The SKILL.md frontmatter references a config path (~/.config/nemovideo/) not present in the registry metadata — a minor inconsistency. The skill also self-generates an anonymous token if NEMO_TOKEN is absent, which is reasonable but means the agent will interact with the external auth endpoint automatically.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It instructs storing a session_id for lifetime of the session; no instructions to modify other skills or global settings are present.