Skillv1.0.0

ClawScan security

Free Video Generator Kling · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 21, 2026, 6:56 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions align with its stated purpose (calling a remote video-rendering API with a single service token); nothing requested appears unrelated or disproportionate.
Guidance: This skill contacts an external service (mega-api-prod.nemovideo.ai) and requires a service token (NEMO_TOKEN). If you install it, be aware uploaded images/text/videos will be sent to that external API for rendering. Prefer using the anonymous token flow if you don't want to store a long-lived token. Do not paste any unrelated secrets into chat. Verify you trust the nemovideo domain and its privacy terms before uploading sensitive content. The skill asks for a header that identifies the skill; that’s normal for telemetry/attribution but be cautious if you see requests to other domains or unexpected credential usage.

Purpose & Capability: okThe skill is a cloud video generator and only requests a single service token (NEMO_TOKEN) and references a nemo config path; both are coherent with contacting a remote rendering API. No unrelated credentials or system services are requested.
Instruction Scope: okRuntime instructions describe obtaining/using a bearer token, creating a session, uploading media, using SSE and export endpoints, and polling job status. These actions are appropriate for a cloud render service and do not instruct reading arbitrary local files or exfiltrating unrelated data. A minor ambiguity: the SKILL.md asks to auto-detect an install path to set X-Skill-Platform, but there is no install step—this is an implementation detail rather than a scope creep.
Install Mechanism: okThis is instruction-only with no install spec or downloads, so there is no on-disk install risk.
Credentials: okOnly NEMO_TOKEN is declared as required and used. The SKILL.md also documents a flow to mint an anonymous short-lived token if none is present, which is consistent with the declared primary credential. The declared config path (~/.config/nemovideo/) is plausible for this service.
Persistence & Privilege: okThe skill is not always-enabled and does not request system-wide changes or other skills' credentials. Autonomous invocation is allowed by default but not combined with broad privileges here.