Skillv1.0.0

ClawScan security

Free Video Generator Canva · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 16, 2026, 5:21 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it says (upload images/clips to a cloud rendering API) but contains inconsistencies and a misleading name (claims “Canva” while calling a different API), and it may read/write a local config path and store tokens — things you should understand before installing.
Guidance: This skill appears to be a legitimate wrapper for a 3rd-party video-rendering API (nemovideo.ai), but its name uses 'Canva' which is likely misleading — it is not an official Canva integration. Before installing or using it: (1) Confirm you are comfortable uploading the files you provide (images/videos/audio) to https://mega-api-prod.nemovideo.ai — do not upload sensitive or private material if you are unsure of their privacy/retention. (2) Check how and where tokens and session IDs are stored: SKILL.md implies saving session_id and may use ~/.config/nemovideo/ to persist state; decide if you accept tokens being written to disk. (3) If you prefer not to provide a persistent credential, use the anonymous-token flow but note it grants limited, time-bound credits. (4) Be aware the skill will read its own frontmatter and detect install paths to set attribution headers — that requires filesystem access to the agent environment. (5) If you need an actual Canva integration, do not assume this skill provides one; ask the publisher for clarification or use an official Canva connector. If any of the above concerns are unacceptable, do not install or invoke the skill.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose is to turn images/clips into short promo videos — the runtime instructions match that (upload files, create sessions, request renders). However the name and marketing use 'Canva' whereas all endpoints point to mega-api-prod.nemovideo.ai (no Canva API). This is misleading and could cause users to assume an official Canva integration when none exists. Also SKILL.md frontmatter includes a required config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — a mismatch that should be resolved.
Instruction Scope: noteRuntime instructions are specific to video creation: generate/refresh tokens, start sessions, upload files, handle SSE, poll render status. That scope is appropriate. The instructions also ask the agent to read the skill's YAML frontmatter and detect install path to populate attribution headers, which requires filesystem/agent-environment access. They also instruct to 'save session_id' and persist tokens (ambiguous whether in-memory or on-disk). These steps are within the functional scope but do give the skill access to local state and may cause tokens/ids to be written to disk.
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal install risk (nothing is downloaded or written by an installer).
Credentials: noteOnly one credential is declared (NEMO_TOKEN), which is consistent with a hosted rendering API. However the SKILL.md frontmatter adds a configPaths requirement (~/.config/nemovideo/), which is not reflected in the registry metadata; that suggests the skill expects to read/write a local config directory to store tokens or session state. Confirm whether the skill will persist tokens/config to disk before installing. Requesting a single API token is proportional to the stated task, but persistent storage of that token is important to understand.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated platform privileges. It can be invoked autonomously (normal default). The instructions imply saving session tokens/ids and detecting the agent install path (to set attribution headers), which could result in persistent local state (~/.config/nemovideo/) — the spec is ambiguous about where session/token data is stored.