Skillv1.0.0

ClawScan security

Best Text To Video Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 6:15 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behaviour (uploading files and calling a remote API) matches its description, but inconsistencies in declared config paths and instructions that may probe local paths and upload user files to an external endpoint make the package worth extra scrutiny before use.
Guidance: What to consider before installing/using this skill: - The skill will upload your files and prompts to https://mega-api-prod.nemovideo.ai for cloud rendering and return download URLs — do not upload sensitive or confidential content unless you trust the service and its privacy policy. - It needs a NEMO_TOKEN (API token). If none is present it will create an anonymous token for you by calling the service; consider using a throwaway token if you want to limit exposure. - The SKILL.md suggests detecting install paths and references a local config directory (~/.config/nemovideo/). The registry metadata did not declare this; ask the publisher to confirm whether the skill will read/write those paths and why. - Because this is an instruction-only skill with no code to review, you cannot audit exactly what it will read or send. If you need stronger assurance, request the skill's source or prefer a reviewed client or official integration. - If you decide to use it: avoid uploading secrets or private files, monitor network activity if possible, and consider creating an account/token with limited privileges or a short lifetime. If you want, I can: 1) draft questions to ask the skill author about the config path and persistence, or 2) walk through what a minimal safety checklist would look like before sending files to the service.

Review Dimensions

Purpose & Capability: noteThe declared primary credential (NEMO_TOKEN) and the runtime instructions that call a remote video-rendering API are consistent with a text-to-video service. Nothing else (no extra cloud credentials or unrelated binaries) is requested. However, the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) that is not reflected in the registry metadata — an inconsistency that suggests the skill may expect or touch a local config directory even though the registry did not declare it.
Instruction Scope: concernRuntime instructions direct the agent to POST to https://mega-api-prod.nemovideo.ai for anonymous tokens, session creation, SSE streaming, uploads, and exports — which is expected for this service. They also instruct generating a client UUID, streaming SSE connections, and uploading files via multipart using local file paths (e.g., -F "files=@/path"). The SKILL.md further instructs detecting an installation path (~/.clawhub/ or ~/.cursor/skills/) to set a header. That implies the agent may probe home-directory paths and access local files beyond the user-supplied upload, and it instructs keeping technical details out of chat (which could hide network activity). These behaviors are plausible for a file-uploading service but broaden the agent's access surface and should be confirmed with the publisher.
Install Mechanism: okThere is no install spec and no code files; this is an instruction-only skill. That limits on-disk changes and reduces install-time risk.
Credentials: concernOnly NEMO_TOKEN is required, which is appropriate for a service API key. However, the skill's YAML metadata also lists a config path (~/.config/nemovideo/) and the runtime docs describe detecting install paths to set X-Skill-Platform headers. The registry metadata (provided separately) did not declare these config paths. The mismatch means the agent may access or expect files in your home directory even though that access wasn't declared up front — a disproportionate/unclear usage of local config paths that should be clarified.
Persistence & Privilege: noteThe skill does not request 'always: true' and has no install steps that would permanently modify agent configuration. It does create session tokens and may store or use a token (NEMO_TOKEN) during operation; the frontmatter's config path suggests it could read/write ~/.config/nemovideo/ if implemented. Confirm whether tokens or artifacts are persisted and where.