Skillv1.0.0

ClawScan security

Video To Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 3:24 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's network actions and credential use are broadly consistent with a cloud video-generation tool, but small metadata mismatches and automatic token/session handling plus required uploads to an external service raise privacy and transparency concerns.
Guidance: This skill appears to be a legitimate cloud-based video generator, but before installing consider the following: - It will upload your videos (and possibly audio/images) to mega-api-prod.nemovideo.ai for processing — do not upload sensitive or confidential footage unless you trust the service and its retention/privacy policy. - If you don't supply NEMO_TOKEN, the skill will automatically request an anonymous token and keep a session_id; ask where tokens/sessions are stored and for how long they are valid. Prefer supplying your own token if you can review its scope. - There's a metadata mismatch: SKILL.md references a local config path (~/.config/nemovideo/) though the registry metadata did not — ask the skill author to clarify whether the skill will read/write local files. - Verify the service domain and review its terms/privacy, especially for ownership and retention of uploaded media. - If you need stronger guarantees, request the author to add explicit user consent prompts, a clear description of local persistence, and an option to avoid automatic token creation.

Review Dimensions

Purpose & Capability: noteName/description (cloud video generation) align with the declared primary credential NEMO_TOKEN and the listed API endpoints for upload/render. However, SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that is not reflected in the registry metadata (which lists no required config paths). This mismatch is an inconsistency that should be clarified.
Instruction Scope: concernRuntime instructions instruct the agent to upload user video/audio/image files to mega-api-prod.nemovideo.ai, open SSE streams, create anonymous tokens if NEMO_TOKEN is not set, and store a session_id for subsequent requests. Uploading user data to an external service is expected for this purpose but is sensitive — the skill does not explicitly require user consent or explain retention/processing policies. The instruction to 'don't display raw API responses or token values' is unusual and reduces transparency about what is stored. Overall the instruction set stays within the stated functionality but lacks clear user-facing privacy/consent controls.
Install Mechanism: okNo install spec or code files are present (instruction-only), which is the lowest-risk install mechanism. Nothing is downloaded or written by an installer according to the manifest.
Credentials: noteOnly one environment variable is required (NEMO_TOKEN), which is proportionate to a cloud API client. However, the skill's frontmatter references a config path for nemovideo which suggests it may read or write local config (SKILL.md doesn't explicitly instruct file writes). The skill also instructs auto-creating an anonymous token when NEMO_TOKEN is absent — that behavior implies storing credentials somewhere (not clearly specified).
Persistence & Privilege: noteThe skill is not always-enabled and is invocable by the user (normal). There is no explicit request for system-wide privileges. The presence of a declared config path in SKILL.md implies possible local persistence of tokens/sessions, but the documentation doesn't spell out where or whether the token/session is persisted to disk.