Skillv1.0.0

ClawScan security

Video Generator Free No Filter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 5:20 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match a video-generation service, but there are mismatches about how credentials/config are handled and it will automatically obtain tokens and send your files to an external API — proceed only after understanding those behaviors and the service's privacy/terms.
Guidance: This skill will send whatever media and prompts you provide to a remote service (mega-api-prod.nemovideo.ai) and will request or automatically obtain an API token if one isn't supplied. Before installing/using it: (1) confirm you are comfortable uploading the types of content you will send (sensitive or copyright-protected media will be transmitted), (2) verify the third-party domain and review its privacy/terms if possible, (3) be aware the skill's manifest inconsistently declares required config/credential behavior (it says NEMO_TOKEN is required but will create an anonymous token automatically), and (4) if you prefer explicit control, provide your own NEMO_TOKEN or avoid using the skill. If you want higher assurance, ask the publisher for a canonical homepage, privacy policy, and clarification on where tokens and session IDs are stored and how long uploads are retained.

Review Dimensions

Purpose & Capability: noteName/description (video generation 'no filter') align with the endpoints and actions in SKILL.md: uploading media, starting render jobs, SSE streaming, and exports. However the registry metadata vs SKILL.md disagree: the top-level registry reported no required config paths, but the SKILL.md metadata lists ~/.config/nemovideo/. Also the registry claims NEMO_TOKEN is required, while the instructions explicitly create an anonymous token when none is present — inconsistent declarations.
Instruction Scope: noteInstructions focus on contacting a single remote backend (mega-api-prod.nemovideo.ai) to obtain tokens, create sessions, upload media, and start renders — which is consistent with the stated purpose. Important runtime behaviors: (1) if NEMO_TOKEN is missing the skill will POST to an anonymous-token endpoint to obtain a token (i.e., it will contact an external service without an existing user credential), (2) it uploads user-provided media (up to ~500MB) to the third-party service, and (3) it attempts to infer install path to set an attribution header. The instructions do not ask for unrelated local files or other creds, but they do send potentially sensitive user content to a remote service.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing will be written to disk by an installer. That is the lowest-risk install mechanism.
Credentials: concernOnly NEMO_TOKEN is declared as required, which is appropriate for a third-party API. But the SKILL.md shows the skill will obtain an anonymous token automatically if NEMO_TOKEN is not present; that makes the declared 'required' credential misleading. SKILL.md also references a config path (~/.config/nemovideo/) in its metadata while the registry reported none — another mismatch. There are no unrelated credentials requested, but automatic token acquisition implies outbound network auth and creation of anonymous accounts (100 free credits, 7-day expiry).
Persistence & Privilege: okalways:false and default autonomous invocation are set. The skill asks to keep a session_id for operations (expected) but does not instruct modifying other skills or system-wide configs. No evidence it requires persistent system-wide privileges.