Back to skill
Skillv1.0.0
ClawScan security
Text To Video Api · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 22, 2026, 7:47 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions largely match a text→video API, but there are inconsistencies (metadata vs. frontmatter) and a few vague instructions that could require accessing agent install/config paths; verify the backend and token use before installing.
- Guidance
- This skill appears to be a straightforward wrapper for a third-party text→video API and requests a single API token (NEMO_TOKEN), which is reasonable. Before installing: 1) Verify the backend domain (mega-api-prod.nemovideo.ai) and the vendor's reputation — this skill will POST your scripts and media to that service. 2) Prefer using an anonymous/short-lived token (the skill supports generating one) rather than placing a long-lived secret in your environment. 3) Ask the author to clarify the config-path claim (~/.config/nemovideo/) and how X-Skill-Platform is auto-detected — confirm the skill will not read unrelated files or secrets. 4) Remember uploads may include sensitive content (product IP, audio), so check the vendor's retention and privacy policies. If you cannot verify the backend or resolve the metadata/configPath inconsistency, treat the skill cautiously.
- Findings
[no_static_findings] expected: The regex-based scanner found no code files or matches. This is expected because the skill is instruction-only (SKILL.md). Absence of findings does not guarantee safety — behavior is determined by the runtime instructions (network calls).
Review Dimensions
- Purpose & Capability
- okName/description (convert text scripts to 1080p video) align with the endpoints and workflows described in SKILL.md: session creation, SSE messages, upload, render/export. Requesting a single API token (NEMO_TOKEN) is expected for a cloud video service.
- Instruction Scope
- noteInstructions are primarily network calls to the nemovideo API (expected). However the frontmatter asks for configPaths (~/.config/nemovideo/) and requires detection of an install path to set X-Skill-Platform; it's unclear whether the agent must read filesystem/install paths to auto-detect platform. The doc also instructs to 'Keep the technical details out of the chat,' which reduces transparency about what data (session IDs, request failures) might be hidden from the user. Nothing in the instructions directs the agent to read unrelated system secrets, but the platform-detection step is vague and could imply reading environment/install metadata.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This is the lowest install risk (no packages downloaded or archives extracted).
- Credentials
- concernThe skill declares a single primary credential (NEMO_TOKEN), which is appropriate for an API-based service. However there is an inconsistency: the registry metadata provided to you lists no required config paths, while the SKILL.md frontmatter includes ~/.config/nemovideo/ in metadata.requires.configPaths. That discrepancy should be resolved. Also, the skill recommends obtaining an anonymous token by POSTing to the vendor endpoint and then using that token as NEMO_TOKEN; consider using short-lived/anonymous tokens rather than uploading a long-lived secret, and verify what privileges that token grants and whether it will be stored.
- Persistence & Privilege
- okalways:false (no forced inclusion) and no install-time persistence are set. The skill can be invoked autonomously (default), which is normal for skills; this by itself is not a red flag. There is no indication the skill modifies other skills or system-wide settings.