Skillv1.0.0

ClawScan security

Video Maker Free Ai App · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 11:30 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's claimed purpose (remote AI video creation) matches the actions and the single requested credential (NEMO_TOKEN); nothing in the instructions asks for unrelated secrets or system access, though a small metadata mismatch is worth noting.
Guidance: This skill appears internally consistent for a cloud video-rendering service. Before installing or using it: 1) Confirm you trust the remote domain (mega-api-prod.nemovideo.ai) because uploaded media and generated tokens are sent there. 2) Avoid uploading sensitive personal or corporate videos unless you understand the provider's privacy and retention policy. 3) The skill will accept a NEMO_TOKEN or obtain an anonymous token for you — prefer supplying a token from an account you control if you want better access tracking. 4) Ask the skill author what the listed config path (~/.config/nemovideo/) is used for; if it reads local config files, that should be documented and justified. 5) If you need higher assurance, request a verified homepage or vendor documentation before installing.

Review Dimensions

Purpose & Capability: okThe skill name/description and the SKILL.md consistently describe a cloud-based video render pipeline. The only required environment variable is NEMO_TOKEN, which is appropriate for authenticating to the described API endpoints. The endpoints, upload, session, credits, and render flows all align with the stated video creation purpose.
Instruction Scope: noteRunbook instructs the agent to create sessions, upload user media, stream SSE, poll job status, and return download URLs — all expected for a remote render service. It explicitly requires Authorization and attribution headers. One minor inconsistency: the metadata lists a configPath (~/.config/nemovideo/) but the runtime instructions do not explain reading that path; it's unclear whether the agent will read local config files.
Install Mechanism: okThis is instruction-only with no install spec and no code files, so nothing is written to disk by an installer. That is the lowest-risk install profile and matches the described cloud-based operation.
Credentials: noteThe skill requests a single credential (NEMO_TOKEN) which is consistent with authenticating to the vendor API; the SKILL.md also provides a fallback anonymous-token flow if no token is present. The metadata's declared configPath (~/.config/nemovideo/) is unexpected relative to the instructions and could imply local config access; the file instructions do not show reading any other env vars or secrets.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent system privileges. It does not instruct modifying other skills or global agent settings. Model invocation is allowed (normal) but that combined with this skill's limited scope does not raise a privilege concern.