Skillv1.0.0

ClawScan security

Text To Video Offline · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 16, 2026, 7:42 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly behaves like a cloud text→video service (uploads files and calls nemovideo.ai APIs) despite its “Offline” name and has some metadata mismatches; it’s coherent for cloud usage but misleading and warrants caution before installing.
Guidance: This skill sends your text and uploaded files to mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (or it will request an anonymous token from that service). Key points before installing: - Don’t trust the “Offline” label: the skill uses a cloud API and uploads your data. If you need strictly local/offline processing, do not install. - The NEMO_TOKEN is a bearer credential for the remote service — treat it as sensitive. Prefer using an anonymous token with limited scope/expiry if available, and confirm what data the service retains. - Verify the service domain (nemovideo.ai) and its privacy/retention policy before sending proprietary content or large files. - The skill metadata includes a config path in its frontmatter that wasn’t declared elsewhere — a minor inconsistency but worth noting. - If you proceed, avoid embedding other secrets in prompts or files you upload. If you need higher assurance, request source/origin of the skill and a privacy/security statement from the publisher before use.

Review Dimensions

Purpose & Capability: concernThe skill is named and marketed as “Text To Video Offline” but the runtime instructions clearly use a cloud rendering pipeline at mega-api-prod.nemovideo.ai and require network uploads and a bearer token. That naming is misleading. Also the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that is not reflected in the registry metadata, which is an internal inconsistency.
Instruction Scope: noteThe SKILL.md instructs the agent to: obtain or use a NEMO_TOKEN, optionally generate an anonymous token by POSTing to the service, create sessions, upload user files (multipart or URL) and stream SSE. These actions are consistent with a cloud video service, but they mean user text/files will be transmitted to an external API. The instructions explicitly say not to print tokens/raw JSON (good). There is also a mechanistic instruction to derive X-Skill-Platform from an install path — odd for an instruction-only skill and potentially brittle but not directly dangerous.
Install Mechanism: okThere is no install spec and no code files — this is instruction-only. That minimizes local code install risk.
Credentials: noteOnly NEMO_TOKEN is declared as required (primaryEnv). That is proportionate for a service that uses bearer tokens. However, the frontmatter also references a config path (~/.config/nemovideo/) which was not listed in the registry's required config paths: a metadata mismatch. The skill will create or use session tokens and upload user files, so the single token gives substantial access to the service and thus should be treated like a credential.
Persistence & Privilege: okalways is false and the skill does not request unusual platform privileges. Autonomous invocation is allowed by default (normal). There is no install-time persistence or attempts to modify other skills/configs described.