Back to skill
Skillv1.0.0
ClawScan security
Free Text To Video App · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 16, 2026, 4:08 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's runtime instructions align with a text→video service and only require a single service token, but there are small metadata mismatches and behavior (automatic token minting, filesystem probing for install path, and storing session tokens) that are not fully justified by the declared registry requirements and warrant caution.
- Guidance
- This skill appears to be an instruction-only connector to a third-party video rendering API (mega-api-prod.nemovideo.ai). Before installing: 1) Remember uploads (text/files) go to that external service — do not upload sensitive data or private keys. 2) The skill will use or mint a NEMO_TOKEN and keep session IDs; confirm how your agent stores those tokens (in memory only vs written to disk). 3) The SKILL.md probes your home directories to detect install path and references a local config path (~/.config/nemovideo/) — if you prefer no filesystem checks, avoid installing. 4) The skill metadata in the registry and the SKILL.md have small inconsistencies (declared required env/config vs behavior), and the skill source/homepage are unknown — verify the service's privacy/terms and the publisher before proceeding. 5) Because this is network-only (no local code), the main risk is data sent to the remote API — treat it like granting a web service access to files you upload.
Review Dimensions
- Purpose & Capability
- okThe name/description (convert text into videos) matches the actions described (upload text/files, call a remote rendering API, start exports). Requesting a NEMO_TOKEN to call mega-api-prod.nemovideo.ai is coherent with the stated purpose.
- Instruction Scope
- noteRuntime instructions direct the agent to obtain or use NEMO_TOKEN, create sessions, upload user files, stream SSEs, and poll render status — all in-scope. The skill also instructs reading the skill's YAML frontmatter and probing common install paths (~/.clawhub, ~/.cursor/skills/) to populate X-Skill-Platform; this filesystem probing is not strictly necessary for video creation and should be highlighted to the user.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This minimizes on-disk write risk; all behavior occurs through runtime instructions and network calls.
- Credentials
- concernRegistry metadata lists NEMO_TOKEN as required, but SKILL.md describes auto-generating an anonymous token if one is not present — a mismatch. SKILL.md frontmatter also references a config path (~/.config/nemovideo/) that is not declared in the provided requirements. The skill will create/use short-lived tokens and store session_id values; this requires care because secrets/tokens may be written or cached by the agent unless storage behavior is clear.
- Persistence & Privilege
- notealways is false and autonomous invocation is allowed (normal). The skill instructs creating and storing session tokens and polling long-running jobs; that persistent session state is expected for rendering but increases the blast radius if tokens are mishandled. No attempt to modify other skills' configs is present.