Skillv1.0.0

ClawScan security

Generation Maker Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 3:17 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent for a cloud video-generation integration, but there are minor metadata inconsistencies and privacy considerations (uploads to an external API) you should review before installing.
Guidance: This skill appears to do what it says: it uploads prompts and media to a cloud video-generation API and returns generated MP4s. Before installing, consider: 1) Privacy — any media and text you send will be uploaded to mega-api-prod.nemovideo.ai; avoid sending sensitive content. 2) Credentials — NEMO_TOKEN is required but can be obtained via an anonymous flow; verify you trust the service before storing tokens. 3) Persistence — the SKILL.md tells the agent to save session_id and references a local config path (~/.config/nemovideo/); ask how and where session tokens are stored and whether they’re written to disk. 4) Provenance — the skill has no homepage and an unknown source/owner; prefer skills with clear vendor info and privacy/terms links. If you proceed, restrict what you upload and monitor any files the agent writes (and consider using an account/token you can revoke).
Findings: [no-findings] expected: The regex-based scanner found nothing to analyze because this is an instruction-only skill (no code files). Network calls and token handling are present only in SKILL.md.

Review Dimensions

Purpose & Capability: noteThe skill name/description match its declared primary credential (NEMO_TOKEN) and the SKILL.md describes REST endpoints for video generation and uploads — this is proportionate. Minor inconsistency: registry metadata reported no required config paths, while the skill frontmatter includes a configPaths value (~/.config/nemovideo/), which is unexplained.
Instruction Scope: noteSKILL.md instructs the agent to POST user files and prompts to an external API (mega-api-prod.nemovideo.ai), obtain an anonymous token if none exists, open a render session, stream SSE responses, and save session_id. These actions are expected for a cloud rendering service, but they will transmit user-uploaded media and prompts to an external service — a privacy risk to consider. The skill also requires the agent to derive attribution headers by inspecting its install path and frontmatter, which implies reading local skill metadata and possibly checking common install directories.
Install Mechanism: okNo install spec and no code files (instruction-only) — nothing is written to disk by an installer. This minimizes supply-chain risk.
Credentials: noteOnly a single credential (NEMO_TOKEN) is required, which is proportional for an API-backed service. The skill instructs how to create an anonymous token (UUID + POST) if no token exists. Consider that the anonymous flow will register a client identifier (X-Client-Id) with the API and that uploaded media and prompts are sent to the external service.
Persistence & Privilege: notealways is false and the skill allows autonomous invocation (default). The SKILL.md tells the agent to 'save session_id' but doesn't specify where; this likely means in-session state — confirm whether the agent persists session IDs or tokens to disk (especially given the mention of ~/.config/nemovideo/ in the frontmatter). No evidence the skill modifies other skills or system-wide settings.