Skillv1.0.0

ClawScan security

Script Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 12, 2026, 1:19 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (generating scripts and rendering video via the Nemo Video API) matches the runtime instructions and the single credential it requests; nothing in the instructions indicates unexplained or unrelated access.
Guidance: This skill integrates with nemo-video's API and either uses a provided NEMO_TOKEN or obtains a short-lived anonymous token; if you install or run it, be aware that any files you upload (up to ~200MB) and the content of prompts will be sent to https://mega-api-prod.nemovideo.ai for processing. If you care about privacy, do not upload sensitive data or secrets, and consider using an anonymous token (the skill supports obtaining one) instead of a long-lived NEMO_TOKEN. The skill will read a small local path (to set an X-Skill-Platform header) and its own YAML frontmatter for attribution — this is likely harmless but means it checks certain filesystem locations. No installers or extra credentials are required, and the behavior described in SKILL.md matches the declared purpose.

Purpose & Capability: okName/description, the API endpoints in SKILL.md, the render/upload/export workflows, and the single required env var (NEMO_TOKEN) are coherent: they all relate to using a Nemo Video backend to generate scripts and render media.
Instruction Scope: noteInstructions are focused on connecting to the nemo-api, session management, SSE message flow, uploads, and exports. They ask the agent to detect install path (to set X-Skill-Platform) and to read this file's YAML frontmatter for attribution headers — a small local file/read requirement that is plausible for setting request headers but is broader than strictly necessary for pure script generation.
Install Mechanism: okNo install spec and no code files are present (instruction-only skill), so nothing is written to disk or fetched during install. This is the lowest-risk pattern for installation.
Credentials: okOnly NEMO_TOKEN is declared as required (and the SKILL.md provides a fallback anonymous-token flow). That single credential is proportional to a service that requires authenticated requests. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege: okalways:false (no forced persistent inclusion). The skill does not request system-wide modification privileges or access to other skills' credentials. It will make outbound calls to the Nemo backend, which is expected for the stated functionality.