Skillv1.0.0

ClawScan security

Best Ai Video Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 8, 2026, 6:52 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with a single external video service (nemovideo.ai): it asks for one service token (NEMO_TOKEN), directs API calls to nemovideo.ai, and does not request unrelated credentials or install code on the host.
Guidance: This skill appears to be what it says: it calls nemovideo.ai and requires a NEMO_TOKEN. Before installing, be aware it will make network requests to https://mega-api-prod.nemovideo.ai and can auto-generate an anonymous token if NEMO_TOKEN isn't set (the token is valid for 7 days). If you prefer to control credentials, set NEMO_TOKEN yourself rather than relying on anonymous token creation. The skill may read/write ~/.config/nemovideo/ and will inspect install paths to populate attribution headers — if you have privacy concerns, review or sandbox those directories and confirm you trust the nemovideo.ai service and its privacy/usage terms.

Purpose & Capability: okName/description (AI video generation) match the declared requirement (NEMO_TOKEN) and the SKILL.md shows only API calls to nemovideo.ai and related session/credit endpoints — nothing unrelated is requested.
Instruction Scope: noteInstructions tell the agent to auto-connect to nemovideo.ai, obtain an anonymous token if NEMO_TOKEN is absent, create a session, upload files, and call rendering endpoints. This stays within the domain of video generation, but the skill will make network calls and may read install paths/config to set attribution headers and store session_id — a minor privacy/behavior note rather than a mismatch.
Install Mechanism: okNo install spec or code is provided (instruction-only). Nothing is downloaded or written to disk by an installer step in the manifest, which reduces supply-chain risk.
Credentials: okOnly NEMO_TOKEN is required (declared as primaryEnv). The SKILL.md's automatic anonymous-token flow is consistent with that requirement. The declared config path (~/.config/nemovideo/) is plausible for storing session state and matches the service domain.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated system privileges. It does instruct storing a session_id and reading install/config paths for attribution headers; users should expect the skill to create and use short-lived tokens/sessions and to access the listed config path.