Back to skill
Skillv1.0.0
ClawScan security
Ai Video Generator Free Grok · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 23, 2026, 4:15 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a cloud video-generation integration; it asks only for a single service token and uses the remote nemo API as documented in the SKILL.md.
- Guidance
- This skill appears coherent for a cloud video-generation integration. Before installing, consider: (1) the skill will send any uploaded media and text prompts to https://mega-api-prod.nemovideo.ai — do you trust that service with your content and PII? (2) If you set NEMO_TOKEN in your environment it will be used directly; otherwise the skill will request an anonymous token from the same API. (3) The metadata declares a config path (~/.config/nemovideo/) that the instructions do not mention — benign but avoid placing sensitive files there unless you trust the service. If you are unsure, avoid putting long-lived credentials in NEMO_TOKEN, test with anonymous usage first, and review network/activity logs or use an isolated environment.
Review Dimensions
- Purpose & Capability
- noteThe skill claims to generate videos via a Nemo/Grok backend and only requests NEMO_TOKEN (primary credential) which matches that purpose. Minor mismatch: registry metadata lists a required config path (~/.config/nemovideo/) that the runtime instructions do not reference; this is likely benign but is an unexplained metadata entry.
- Instruction Scope
- okSKILL.md instructs the agent to create or use an API token, create sessions, upload user-provided media, send SSE messages, and poll export endpoints — all coherent with a cloud render pipeline. The instructions read their own YAML frontmatter and detect install path for attribution headers; they do not tell the agent to read arbitrary unrelated files or other credentials.
- Install Mechanism
- okNo install spec or external downloads are used — this is instruction-only, so nothing is written to disk by an installer. Risk from install mechanism is low.
- Credentials
- okOnly a single environment variable (NEMO_TOKEN) is declared as required and is appropriate for a remote API. The skill also has logic to obtain an anonymous token if no token is present, which reduces the need for user-supplied secrets.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide changes or access to other skills' configuration. It only reads its own frontmatter and may inspect its install path for header attribution.