Skillv1.0.0

ClawScan security

Text To Video Converter Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 5:52 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and instructions mostly align with a text→video service — it only needs a NEMO_TOKEN (or can get an anonymous token) and calls a Nemo video API — but there are minor metadata inconsistencies and privacy/credential considerations you should review before installing.
Guidance: This skill is coherent with its claim to convert text into videos and only needs a NEMO_TOKEN (or it can obtain a temporary anonymous token). Before installing: 1) Treat NEMO_TOKEN like a password — prefer using a scoped/dedicated token or use the anonymous flow for testing. 2) Understand that uploaded files are sent to mega-api-prod.nemovideo.ai and may be stored/processed there — avoid uploading sensitive personal or corporate data. 3) Ask the publisher to clarify the metadata mismatch: SKILL.md references ~/.config/nemovideo/ and deriving platform from local install paths; confirm whether the agent will inspect or write those paths. 4) Because source/homepage are unknown, test with non-sensitive data first and monitor any unexpected credit usage or uploads. If you need higher assurance, request the maintainer/publisher information, a privacy policy, or a public code repo before granting a real account token.

Review Dimensions

Purpose & Capability: noteName/description (text→video) align with the runtime instructions and required credential (NEMO_TOKEN). The skill declares an expected config path (~/.config/nemovideo/) in its SKILL.md frontmatter even though the registry metadata lists no config paths — this mismatch should be clarified but is plausibly related to storing session/config for the Nemo service.
Instruction Scope: noteSKILL.md instructs only API interactions required for creating sessions, uploading files, streaming SSE, rendering and polling results — all within the stated purpose. It also instructs deriving X-Skill-Platform from install paths (e.g., ~/.clawhub/, ~/.cursor/skills/), which implies the agent may inspect filesystem/install paths; that is outside pure API calls and worth confirming.
Install Mechanism: okNo install spec and no code files — instruction-only, so nothing is downloaded or written by the skill itself.
Credentials: noteOnly one credential is required: NEMO_TOKEN (declared as primary). That is proportional for a cloud video API. However, NEMO_TOKEN is a bearer credential that can create sessions, upload files, and trigger exports (which could consume credits/allow access to account data). If you supply a long-lived personal token, it grants broad access to the remote service. The SKILL.md also documents obtaining an anonymous token if none is present.
Persistence & Privilege: okSkill is not forced-always; it's user-invocable and allows normal autonomous invocation. It does not request system-wide or persistent privileges in the registry metadata. The only potential persistence hint is the frontmatter config path (~/.config/nemovideo/), which suggests local config could be read/written; clarify before granting access.