Skillv1.0.0

ClawScan security

Generator Ai Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 12:24 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (AI video generation) matches the actions in SKILL.md (calls to a nemo video API, session creation, uploads); it only requests a single service token and has no install step, but there are small metadata/instruction inconsistencies you should be aware of.
Guidance: This skill appears to do what it says: it calls the nemo video API to create sessions, upload user files, and render video. Before enabling it, consider: 1) The skill will make network calls to https://mega-api-prod.nemovideo.ai and may create an anonymous NEMO_TOKEN for you if you don't supply one — that token lasts ~7 days and grants limited credits. If you prefer control, provide a token you manage rather than relying on automatic anonymous tokens. 2) The SKILL.md references a config path (~/.config/nemovideo/) and may detect install paths to set headers — if you are worried about filesystem access, ask whether the agent will read those paths or just infer platform names. 3) There is no installer or other credentials requested, and no other services are required. If you do not trust the nemo service or the domain, do not provide a persistent NEMO_TOKEN; use ephemeral tokens or avoid installing. Finally, treat autonomous invocation as normal (default) but monitor what requests the skill makes during early uses.

Review Dimensions

Purpose & Capability: okThe name and description promise cloud video generation; the instructions show exactly that (session creation, SSE, upload, render/export endpoints). Requesting NEMO_TOKEN is proportional to that purpose. Minor inconsistency: the registry summary said 'Required config paths: none' while the SKILL.md frontmatter declares a config path (~/.config/nemovideo/). This is likely a bookkeeping mismatch but worth noting.
Instruction Scope: noteInstructions only call the nemovideo backend (https://mega-api-prod.nemovideo.ai) for auth, session creation, uploads and renders; they also provide guidance for SSE handling and polling. The skill includes behavior to auto-obtain an anonymous token if NEMO_TOKEN is not present (POST /api/auth/anonymous-token) and to generate a UUID client id. SKILL.md also says X-Skill-Platform is detected from install paths (~/.clawhub/, ~/.cursor/skills/) which implies the agent may inspect its environment/install path — the file system read is not explicitly prescriptive but is implied. No instructions ask for unrelated credentials or broad file system scanning beyond user-supplied uploads and optional config path.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest-risk install profile. It will not download or write external binaries as part of an installer step.
Credentials: noteOnly one environment variable (NEMO_TOKEN) is declared as required/primary, which aligns with a cloud service token for a video API. The skill will try to obtain an anonymous token if none is present (100 free credits, 7-day expiry). The SKILL.md frontmatter additionally declares a config path (~/.config/nemovideo/), which was not reflected in the registry summary; it's unclear whether the skill expects to read that path. No other secrets are requested.
Persistence & Privilege: okThe skill is not forced-always and uses default model invocation. It does not request persistent installation privileges or modifications to other skills. Creating/using an anonymous service token is normal for this kind of integration.