Skillv1.0.0

ClawScan security

Media Content Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 30, 2026, 1:22 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with a cloud video-generation service, but there are small inconsistencies (metadata vs SKILL.md) and you should be aware it uploads your media to an external API and may read a local config path if present.
Guidance: This skill appears to be what it says: a cloud-based media renderer that needs a NEMO_TOKEN or will request an anonymous token from mega-api-prod.nemovideo.ai and will upload any media you send. Before installing/using it: (1) Only provide a NEMO_TOKEN if you trust the nemo service; otherwise let the skill use its anonymous token flow for non-sensitive tests. (2) Be aware all uploaded assets and rendered outputs go to the external domain noted in SKILL.md — review the vendor's privacy and retention policies. (3) Clarify the metadata inconsistency: SKILL.md lists a config path (~/.config/nemovideo/) that could be read at runtime even though registry metadata said no config paths; if you want to avoid that, run the skill in an environment without that path or remove sensitive files there. (4) Because the skill is instruction-only and has no install, it won't write code to disk, but it will make outbound HTTP requests and include its attribution headers on every request. If you need higher assurance, ask the skill author for a homepage, privacy policy, and the exact conditions under which the skill will read local config paths and include attribution headers.

Review Dimensions

Purpose & Capability: okName/description (generate videos from user media) match the declared requirement for a single service credential (NEMO_TOKEN) and the described API endpoints. No unrelated credentials or unrelated binaries are requested.
Instruction Scope: noteSKILL.md instructs the agent to use NEMO_TOKEN if present or obtain an anonymous token by POSTing to the vendor API, create a session, upload media, stream edits via SSE, poll render status, and return download URLs. These actions are consistent with a cloud render service. The instructions also tell the agent to read this file's frontmatter for attribution and to detect the install path (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform — reading the skill file and checking a couple install paths is minor scope expansion but worth noting.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. The skill relies on network calls to the stated public API domain (mega-api-prod.nemovideo.ai).
Credentials: noteThe only declared primary env var is NEMO_TOKEN, which is appropriate. However, SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata listed none — this inconsistency should be clarified because the skill may attempt to read that local path to obtain credentials or config.
Persistence & Privilege: okalways:false and no install scripts or file-writing instructions are present. The skill can be invoked autonomously by the agent (platform default), which is expected; it does not request permanent presence or system-wide config changes.