Back to skill
Skillv1.0.0
ClawScan security
Text To Video Leaderboard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 1:28 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a text-to-video ranking service: it only needs a NEMO token (which it can obtain anonymously), uses a single backend domain, and has no install steps or unrelated permissions.
- Guidance
- This skill appears to do what it says: it will send your uploaded media and prompts to mega-api-prod.nemovideo.ai and use a NEMO_TOKEN (it can obtain a 7-day anonymous token if you don't provide one). Before installing, consider: (1) privacy — your videos and prompts will be uploaded to the nemo backend; (2) storage/credits — uploads can be up to 500MB and the service uses credits; (3) token handling — the skill stores session tokens for subsequent requests; and (4) trust — only install if you trust the nemo service and are comfortable with those uploads. No other credentials or system-wide access are requested.
Review Dimensions
- Purpose & Capability
- okName/description (compare and rank text→video models) match the declared requirements: a single service token (NEMO_TOKEN) and a config path for nemo. Requested headers, endpoints, and upload semantics all align with a cloud video-rendering/leaderboard backend.
- Instruction Scope
- okSKILL.md instructs only to check/create NEMO_TOKEN, create a session, upload videos, call SSE and render endpoints, and poll session state. It does not direct reading unrelated system files or other credentials; file uploads and multipart paths are expected for this functionality.
- Install Mechanism
- okNo install spec or external downloads — instruction-only. Nothing is written to disk by an installer and no third-party packages are pulled in by the skill itself.
- Credentials
- okOnly NEMO_TOKEN is required (primaryEnv) and the declared config path (~/.config/nemovideo/) is consistent with the service. The skill also describes generating an anonymous token when none is present, which is proportionate to its purpose.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or system-wide configuration changes. It expects to store and reuse session tokens for the service, which is normal for this sort of integration.