Back to skill
Skillv1.0.0
ClawScan security
Openart Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 10, 2026, 9:09 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code-free instructions and single required credential (NEMO_TOKEN) align with its stated purpose of calling a remote render API, though there are minor metadata inconsistencies and no publisher info.
- Guidance
- This skill is instruction-only and appears to do what it claims: talk to nemovideo.ai to create/edit/export videos and images, using a single API token (NEMO_TOKEN). Before installing: (1) confirm you trust the nemovideo.ai domain since the skill will send your uploads and prompts there; (2) supply a dedicated API token or let it use an anonymous token if you prefer ephemeral credentials; (3) note the SKILL.md mentions a local config path (~/.config/nemovideo/) even though the registry metadata did not — ask the publisher whether the skill will read/write that directory; (4) avoid using highly sensitive data in uploads unless you trust the service and its privacy policy; and (5) because the publisher/homepage is unknown, consider testing with throwaway content/accounts first.
Review Dimensions
- Purpose & Capability
- okName/description (AI art/video generation) matches the runtime instructions which call a nemovideo.ai rendering API. The single declared credential NEMO_TOKEN is appropriate for an API-backed service.
- Instruction Scope
- noteInstructions stay within the rendering workflow (session creation, SSE for streaming, upload, export, polling). They ask the agent to store session_id and use Authorization headers but do not instruct reading arbitrary system files. Minor scope ambiguity: the YAML frontmatter references a config path (~/.config/nemovideo/) and derives an X-Skill-Platform from install paths, but the registry metadata showed no required config paths — it's unclear whether the skill expects to read/write that directory.
- Install Mechanism
- okNo install spec or code files are present (instruction-only), so nothing is downloaded or written to disk by the skill itself — lowest install risk.
- Credentials
- noteOnly one credential (NEMO_TOKEN) is required, which is proportionate. The skill also documents an anonymous-token flow (POST to /api/auth/anonymous-token) to obtain a short-lived token if none provided — acceptable but be aware this will create/use an API-issued token. Inconsistency: SKILL.md metadata mentions a config path that could expose local files if implemented, but that path is not declared in the registry metadata.
- Persistence & Privilege
- okalways:false and no install means the skill doesn't request permanent platform-wide presence. It asks the agent to keep a session_id in-memory or in-session storage for ongoing calls, which is normal for an API client.