Skillv1.0.0

ClawScan security

Text To Video Generative Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 10:04 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly behaves like a text→video API client (which justifies a token and network access), but there are multiple small inconsistencies and ambiguous instructions (install-path detection, mismatched config-path declarations, anonymous-token behavior) that warrant caution before installing.
Guidance: This skill appears to be a client for a third-party video-generation API and needs a NEMO_TOKEN (or will create a short-lived anonymous token) and permission to upload files to that service. Before installing: verify the provider domain (mega-api-prod.nemovideo.ai), confirm the privacy/data retention policy (you will upload media and text), and consider testing with non-sensitive content. Ask the publisher for clarification about the config path (~/.config/nemovideo/) and the 'X-Skill-Platform' auto-detection (how it determines an install path for an instruction-only skill). Prefer using an account token you control rather than letting the skill create an anonymous token if you care about traceability. Because of the metadata inconsistencies and ambiguous platform-detection step, proceed only after those points are clarified.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (text-to-video) align with its network calls and the NEMO_TOKEN credential. However the frontmatter/metadata references a config path (~/.config/nemovideo/) while the registry metadata elsewhere lists no required config paths—this mismatch is unexplained. Requiring NEMO_TOKEN is reasonable, but the skill can also obtain an anonymous token itself, so declaring the env var as strictly required is inconsistent.
Instruction Scope: concernSKILL.md directs the agent to call multiple API endpoints, upload user files (up to 500MB), hold session tokens, and stream SSE responses — all expected for a cloud render client. Concerns: it asks the agent to auto-detect an 'install path' to set X-Skill-Platform (odd for an instruction-only skill), and requires persistent session/token handling in memory (and implies saving session_id). There is no instruction to access unrelated local files, but the install-path detection and configPath mention broaden the scope in unclear ways.
Install Mechanism: okInstruction-only skill with no install spec or bundled code — lowest install risk. Nothing is downloaded or written by an installer per the provided metadata.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared, which fits a cloud API client. But the skill also documents creating an anonymous token by calling the provider endpoint (so the env var might not be strictly necessary). The frontmatter's configPaths entry is inconsistent with the registry summary (no required config paths), which suggests either sloppy metadata or an expectation of reading/writing ~/.config/nemovideo/ that isn't made explicit.
Persistence & Privilege: okalways:false and no special system-wide privileges requested. The skill expects to manage its own session token and session_id, which is normal. It does not request permanent presence or modification of other skills.