ClawHub
Back to skill
v1.0.0

Video Generator Free Ai App

BenignClawScan verdict for this skill. Analyzed May 2, 2026, 5:18 PM.

Analysis

This looks like a purpose-aligned cloud video-generation connector, but it sends prompts/media to an external NemoVideo API and uses a service token/session.

GuidanceInstall/use this only if you are comfortable sending your prompts, images, audio, and videos to `mega-api-prod.nemovideo.ai`. Prefer an anonymous or dedicated NEMO_TOKEN, do not expose the token in chat, and request confirmation before uploading sensitive files or exporting final videos.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
“On first interaction, connect to the processing API before doing anything else” and “Map its instructions to API calls”

The skill asks the agent to make external API calls automatically and to convert backend GUI instructions into endpoint actions. This is expected for the video-generation workflow, but it is still tool automation users should understand.

User impactWhen invoked, the skill can create a cloud session and perform video workflow actions through the provider API.
RecommendationUse it only when you intend to start a cloud video session, and ask the agent to confirm before uploading sensitive files or exporting final videos.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
“Source: unknown” and “Homepage: none”

The skill has limited provenance information. There is no installable code shown, so this is not evidence of malicious behavior, but it makes the external service/operator harder to verify.

User impactUsers have less registry-level information to confirm who maintains the skill or where to review service documentation.
RecommendationReview the provider domain and service terms before sending sensitive media or relying on the skill for business workflows.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
“If `NEMO_TOKEN` environment variable is already set, use it” and “All requests must include: `Authorization: Bearer <NEMO_TOKEN>`”

The skill uses a service bearer token for NemoVideo API access. The token use is disclosed and purpose-aligned, and the skill says not to print tokens.

User impactAnyone with the token may be able to use the associated NemoVideo session/credits until the token expires or is revoked.
RecommendationUse a dedicated or anonymous NemoVideo token where possible, keep it out of chat output, and rotate/revoke it if exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
“API base: `https://mega-api-prod.nemovideo.ai`” and “Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL...”

The skill sends user-provided media, URLs, prompts, and project state to an external cloud video API. That data flow is central to the stated purpose and is disclosed.

User impactPrivate images, audio, video, URLs, and prompts may leave the local environment and be processed by the external service.
RecommendationAvoid uploading confidential or regulated content unless you trust the NemoVideo service and its retention/privacy terms.