Skillv1.0.0

ClawScan security

Online To Video Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 2:19 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested credential and runtime actions align with its stated purpose (converting online content to videos); it's instruction-only and requests only a single service token, but there are small metadata inconsistencies and you should confirm you trust the nemovideo.ai backend before use.
Guidance: This skill appears coherent: it needs a NEMO_TOKEN to call a nemovideo.ai backend and otherwise only runs API calls to that service. Before installing, consider: (1) Do you trust the nemovideo.ai domain (mega-api-prod.nemovideo.ai)? the skill will send uploaded content to that backend. (2) If you don't provide NEMO_TOKEN, the skill will request an anonymous token from the service (temporary 7-day token). (3) Clarify the frontmatter config path (~/.config/nemovideo/) and whether the skill will read any local install paths or files (the frontmatter and registry metadata disagree). (4) Because the skill is instruction-only and networked, verify the provider's privacy/terms for uploaded content and check for any required headers or telemetry you might not want sent. If you need stronger assurance, ask the author for a canonical homepage or source repo and confirmation of what local paths (if any) are read.

Review Dimensions

Purpose & Capability: noteThe skill name/description (convert URLs/PDF/TXT/DOCX to videos) matches the instructions which call a nemovideo.ai API and require a NEMO_TOKEN. The only minor inconsistency is that the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata claimed no required config paths; this should be clarified but does not contradict the core purpose.
Instruction Scope: noteRuntime instructions stay within the video-rendering workflow: establish a session, upload content, use SSE for edits, poll export status, and return download URLs. They instruct creating an anonymous token if NEMO_TOKEN is absent. No instructions direct reading unrelated local files or harvesting unrelated env vars, but the frontmatter asks that the agent auto-detect 'X-Skill-Platform' from the install path (which implies reading install path/ENV) — clarify what path information is read and sent.
Install Mechanism: okInstruction-only skill with no install spec or code files — lowest-risk installation surface. All runtime actions are network calls to the declared API host; nothing is downloaded or written by an install step.
Credentials: okOnly a single credential (NEMO_TOKEN) is required, which is appropriate for a cloud video service. The skill will obtain an anonymous token from the service if none is present (100 free credits, 7-day expiry). No unrelated credentials or broad system secrets are requested.
Persistence & Privilege: okThe skill does not request always: true, does not modify other skills, and has normal agent invocation settings. It keeps session_id for operations (expected for this workflow) and has no instructions to alter global agent configuration.