Skillv1.0.0

ClawScan security

Ai Video Generator Professional · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 3:21 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are broadly consistent with a remote AI video-generation service, but there are a few small metadata inconsistencies and privacy considerations to review before installing.
Guidance: This skill appears to do what it says: call a remote API to render videos and requires one API token (NEMO_TOKEN). Before installing, confirm the API host (mega-api-prod.nemovideo.ai) and owner are trustworthy, and decide whether you want the agent to auto-create an anonymous token (the skill will POST to the auth endpoint and store the returned token) or to provide your own NEMO_TOKEN. Be aware that any files you upload will be sent to their servers for rendering — don't upload sensitive or private content unless you trust the service and its privacy policy. Also ask the skill author to clarify the configPaths discrepancy (SKILL.md frontmatter lists ~/.config/nemovideo/ but registry metadata did not), and prefer provisioning a token manually if you want tighter control. If you need higher assurance, request a homepage, official docs, or an official release/source before using.

Review Dimensions

Purpose & Capability: noteThe skill name/description match the actions described (creating sessions, uploading video, rendering on remote GPUs). Requested credential NEMO_TOKEN is appropriate for an API-backed service. Minor inconsistency: the SKILL.md frontmatter declares a configPaths entry (~/.config/nemovideo/) while the registry metadata listed no required config paths — this mismatch should be clarified but is not itself a functional red flag.
Instruction Scope: okThe SKILL.md instructs only API calls and session management (anonymous token endpoint, session creation, SSE, upload, export/polling). It asks the agent to read user-provided files for upload and to detect install path for a header value — both are reasonable for this skill. It does not instruct reading unrelated system files or unrelated credentials.
Install Mechanism: okNo install spec or code files are present (instruction-only). This is lowest-risk for disk persistence or arbitrary code installs.
Credentials: noteOnly NEMO_TOKEN is required which is proportional to the described API usage. The skill includes a flow to obtain an anonymous token by POSTing to a remote auth endpoint and then treat that token as NEMO_TOKEN; be aware the agent will generate and store/use that token automatically if NEMO_TOKEN is not pre-provided. The frontmatter's configPaths entry suggests the skill may look in ~/.config/nemovideo/ (inconsistent with registry metadata) — this is plausible but should be explicit.
Persistence & Privilege: okalways is false and the skill does not request elevated platform-wide privileges. It will persist session tokens and job IDs as expected for a remote-rendering workflow; it does not attempt to modify other skills or system-wide settings.