Skillv1.0.0

ClawScan security

Deepseek Video Generation Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 2:18 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, required credential (NEMO_TOKEN), and API calls are consistent with a cloud video-generation service, but the package lacks an authoritative homepage/source and shows a small metadata mismatch that you should be aware of before installing.
Guidance: This skill appears internally consistent for a cloud video-generation tool and only needs the NEMO_TOKEN credential. However: the package has no homepage/source to verify the vendor, and SKILL.md metadata and registry metadata mismatch about config paths. Before installing, consider: 1) Do you trust the external API domain (mega-api-prod.nemovideo.ai)? 2) If you don't already have a NEMO_TOKEN, use the anonymous-token flow (the skill documents it) and prefer a throwaway token or account for testing. 3) Avoid uploading sensitive or private content until you confirm the service's privacy/retention policy. 4) If you want higher assurance, request a homepage, maintainer contact, or official docs from the skill provider. If any of these make you uncomfortable, don't enable the skill.

Review Dimensions

Purpose & Capability: okName/description (text→video generation) align with the runtime instructions: all API endpoints, upload, export, credits, and SSE workflows target a single service (mega-api-prod.nemovideo.ai). The single required secret (NEMO_TOKEN) is exactly the credential used by the described endpoints and is declared as primaryEnv.
Instruction Scope: noteSKILL.md gives explicit step-by-step runtime actions (obtain anonymous token if absent, create session, SSE chat, upload, export). These steps stay within the stated purpose. The instructions ask the agent to read the skill's YAML frontmatter at runtime and to detect install path (e.g., ~/.clawhub/, ~/.cursor/skills/) to populate attribution headers — reading the skill file and checking those paths is plausible but expands filesystem access slightly (self-contained/skill-specific files only). The skill does instruct uploading user media to an external service (expected for cloud render).
Install Mechanism: okNo install spec or downloaded code; this is instruction-only which minimizes on-disk risk. There are no brew/npm/remote archive installs to evaluate.
Credentials: noteOnly one required env var (NEMO_TOKEN) is declared and used by the described API flows — proportionate for a remote service. Small inconsistency: registry metadata listed 'Required config paths: none' while the SKILL.md frontmatter metadata includes a configPaths entry (~/.config/nemovideo/) — that is service-related but not obviously necessary for basic operation and is a metadata mismatch worth noting.
Persistence & Privilege: okSkill is not marked 'always' and does not request elevated or permanent agent privileges. It does not instruct modifying other skills or global agent configuration. Autonomous invocation (disable-model-invocation: false) is the platform default and is not by itself a red flag.