Skillv1.0.0

ClawScan security

Json Ai Video Generator Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 6:32 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a cloud video-generation service, but it has small metadata inconsistencies and instructs automatic anonymous token creation and hidden handling of credentials — things you should understand before installing.
Guidance: This skill appears to be a thin client for a remote video-rendering service and mostly does what it says, but ask the publisher to clarify two things before installing: (1) exactly where the NEMO_TOKEN and session_id will be stored (the SKILL.md frontmatter mentions ~/.config/nemovideo/ but registry metadata omitted it); (2) why responses and token values are explicitly hidden from the user (this prevents you from seeing the token or raw API replies). If you proceed, consider creating a dedicated/limited token account for this service (or use ephemeral environment variables), monitor network activity, and avoid giving any unrelated credentials. If you need high assurance, request the skill to be updated to explicitly state persistence behavior and to show the user the created anonymous account ID or provide an opt-in for automatic token creation.

Review Dimensions

Purpose & Capability: noteThe declared purpose (generate videos from JSON/prompts) lines up with the API endpoints and flows described (session, SSE, upload, export). Requesting a single service token (NEMO_TOKEN) is expected. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that the registry metadata did not declare, which is an inconsistency to clarify.
Instruction Scope: concernInstructions tell the agent to auto-request an anonymous token from the remote service if NEMO_TOKEN is not present, create and store a session_id, and explicitly instruct the agent to not display raw API responses or token values to the user. The file maps UI actions to API calls and instructs polling and uploads — expected for this purpose — but the hidden token handling and vague guidance about where/how to persist the token/session (frontmatter config path vs registry metadata mismatch) reduce transparency and warrant caution.
Install Mechanism: okThis is an instruction-only skill with no install spec or code to download or execute. That minimizes on-disk risk.
Credentials: noteOnly one credential (NEMO_TOKEN) is required, which is appropriate for a hosted video API. The skill's runtime also references a config directory in the frontmatter, which the registry didn't list — possible mismatch about where tokens/session state will be stored. The fact the skill can generate a new anonymous token on your behalf means it will create credentials tied to your agent; users should be aware of that external account creation.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It does instruct storing a session token and (implicitly) writing state under a service-specific config path; that is normal for a service client but confirm where data is persisted.