Skillv1.0.0

ClawScan security

Animation Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 3:54 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-based animation/video rendering service; it asks for a single service token and instructs the agent to upload user media and call the provider's API, which matches its stated purpose.
Guidance: This skill will upload your scripts, images, and video files to a third‑party API (mega-api-prod.nemovideo.ai) and requires a service token (NEMO_TOKEN). Before installing: 1) avoid uploading sensitive or confidential media to this skill unless you trust the provider; 2) prefer using an ephemeral or limited-scope token (or use the anonymous 7-day token flow) rather than long-lived credentials; 3) check where the agent will persist session/token data (the skill references ~/.config/nemovideo/) and how to delete/revoke it; 4) review the provider's privacy/terms and any billing/credits implications; 5) be aware the agent will make outbound network calls and can upload files autonomously when invoked. If any of these are unacceptable, do not install or supply your primary credentials.

Review Dimensions

Purpose & Capability: okName/description (create animated explainer videos) align with requested credential (NEMO_TOKEN), endpoints, and upload/export workflow. The listed config path (~/.config/nemovideo/) is plausible for caching session or token data and is not disproportionate to the service.
Instruction Scope: noteSKILL.md directs the agent to obtain or use a bearer token, create a session, upload user media (up to 500MB), stream SSE chat edits, poll export status, and include attribution headers on every request — all expected for a cloud render API. Note: it will transmit user files and script text to an external domain (mega-api-prod.nemovideo.ai). The instructions instruct saving session_id but do not strictly specify where; policy for storing tokens/session state should be considered.
Install Mechanism: okNo install spec or code is present (instruction-only), so nothing is written to disk by an installer. This is the lowest install risk.
Credentials: okOnly one environment variable (NEMO_TOKEN) is required and declared as the primary credential, which is proportional for a third‑party API. The metadata's config path is plausible for caching; no unrelated credentials or broad secrets are requested.
Persistence & Privilege: noteSkill does not request always: true and uses normal autonomous invocation. The skill expects to save session_id and may persist tokens in the declared config path; this is reasonable for a session-based API but you should confirm where tokens/session data are stored and how to revoke them.