Back to skill
Skillv1.0.0
ClawScan security
Text To Video Generator Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 8, 2026, 6:09 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are broadly consistent with a text-to-video service (it needs a NEMO_TOKEN and talks to a nemo video API); there are a few minor inconsistencies and privacy considerations to review before installing.
- Guidance
- This skill behaves like a normal cloud-backed text→video frontend: it will contact https://mega-api-prod.nemovideo.ai, automatically obtain an anonymous token if you don't supply NEMO_TOKEN, create sessions, upload files you provide, and receive signed CDN URLs for outputs. Before installing, consider: 1) Are you comfortable the skill will send your prompts and any uploaded files to an external service? 2) If you have a paid account, prefer setting your own NEMO_TOKEN rather than relying on the anonymous token flow. 3) Confirm the unknown domain (mega-api-prod.nemovideo.ai) and the service's privacy/retention policy for uploaded content and generated media. 4) Ask the publisher to clarify the metadata mismatch about config paths (~/.config/nemovideo/) vs. the registry snapshot. If sensitive data may appear in prompts or uploads, avoid using this skill until you verify the vendor and policies.
Review Dimensions
- Purpose & Capability
- okThe skill is a text-to-video frontend and only requests one service credential (NEMO_TOKEN) and makes REST calls to a video-rendering backend. Needing an API token and session IDs is proportional to the stated purpose.
- Instruction Scope
- noteSKILL.md directs the agent to obtain an anonymous token (POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token), create sessions, send SSE messages, upload files, poll export status, and include attribution headers. These actions are coherent with remote video rendering, but they involve automatic network calls, creation/storage of tokens/session IDs, and optionally uploading user files — so the agent will contact an external service and may transmit user-provided data.
- Install Mechanism
- okInstruction-only skill with no install spec or downloadable code. This minimizes on-disk execution risk; runtime behavior is limited to the agent following the prose in SKILL.md.
- Credentials
- noteThe skill declares NEMO_TOKEN as the primary credential, which matches its API usage. One minor inconsistency: the registry metadata summary lists no required config paths, but the SKILL.md frontmatter metadata includes a configPaths entry (~/.config/nemovideo/). This discrepancy should be clarified, but no additional unrelated secrets are requested.
- Persistence & Privilege
- okalways:false and no install hooks are present. The skill will store in-memory or session state (session_id/token) for requests, but it does not request persistent system-wide privileges or modify other skills.