Skillv1.0.0

ClawScan security

Animated Video Maker Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 10, 2026, 8:43 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based animated video service: it needs one service token, talks to a remote API, and uploads user media for rendering.
Guidance: This skill appears to do what it says: it will upload your images/audio/text to nemovideo's cloud API, obtain or use a NEMO_TOKEN, create a session, and return a rendered MP4. Before installing, consider: (1) you will be sending media and project data to an external service (mega-api-prod.nemovideo.ai) — confirm you trust that service and understand its privacy/retention; (2) the skill will create and persist an anonymous token/session (it mentions a config path in the SKILL.md) — check where those are stored if you want to remove them later; (3) the SKILL.md auto-generates a token if none is provided, so the skill can contact the external API automatically on first use; and (4) clarify the small metadata inconsistency about config paths if you need guarantees about filesystem access. If those behaviors are acceptable, the skill is internally coherent.

Purpose & Capability: okName/description align with the required NEMO_TOKEN and the SKILL.md endpoints for uploading, rendering, and checking credits. The actions (upload, SSE, render) are expected for an online video-rendering tool.
Instruction Scope: noteThe SKILL.md instructs the agent to auto-obtain an anonymous token if NEMO_TOKEN is not present, create and store a session_id, stream SSE responses, upload user media, and poll render status — all reasonable for this service. Note: the skill will communicate with external host mega-api-prod.nemovideo.ai and will store tokens/session state; the instructions also reference detecting an install path to set an attribution header.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is downloaded or written by an installer as part of installation.
Credentials: noteOnly NEMO_TOKEN is requested (primary credential), which is appropriate for accessing the remote service. Minor inconsistency: the registry summary listed no required config paths, but the SKILL.md frontmatter metadata mentions a config path (~/.config/nemovideo/); this should be clarified (reading/writing that path would be reasonable for session/token persistence but is not declared elsewhere).
Persistence & Privilege: okSkill is user-invocable, not always-enabled, and does not request elevated platform privileges. It will persist a token/session for service use, which is normal for a cloud integration.