Back to skill
Skillv1.0.0
ClawScan security
Text To Video Open Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 5:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are internally consistent with a cloud-based text→video service: it needs a NEMO_TOKEN (or will obtain an anonymous one), talks to nemovideo.ai endpoints, and uploads user media — no unrelated credentials or installs are requested.
- Guidance
- This skill connects to mega-api-prod.nemovideo.ai, will upload files you provide, and can auto-generate an anonymous NEMO_TOKEN if you don't supply one — tokens last ~7 days. If you're evaluating it, consider: (1) Do you trust the remote service to handle your media? Avoid uploading sensitive or private content. (2) Prefer supplying your own NEMO_TOKEN from an account you control if you want traceability. (3) Note the skill may make network calls automatically on first use to create tokens/sessions. If you need more assurance, contact the service operator or inspect a published source implementation before use.
Review Dimensions
- Purpose & Capability
- okName/description (text→video) align with the declared NEMO_TOKEN credential, the ~/.config/nemovideo/ config path, and the API endpoints in the SKILL.md. There are no unrelated environment variables or binaries requested.
- Instruction Scope
- noteSKILL.md instructs the agent to automatically obtain an anonymous token if NEMO_TOKEN is absent, create sessions, post/upload files, and stream SSE from mega-api-prod.nemovideo.ai. Those actions are expected for a cloud render service, but they entail uploading user files and creating/holding tokens — the user should be aware the skill will transmit potentially sensitive data to the remote backend. Metadata lists a config path (~/.config/nemovideo/) though the runtime instructions do not explicitly read it.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest disk/write footprint. All runtime behavior is network/API calls; nothing is downloaded or executed locally by an installer.
- Credentials
- noteOnly NEMO_TOKEN is required and declared as primaryEnv, which is proportional for a remote API. The metadata also mentions a configPath which could imply local config access, but SKILL.md does not instruct reading local files or other secrets.
- Persistence & Privilege
- okalways:false and normal autonomous invocation. The skill will create and use session tokens and may re-request anonymous tokens, but it does not request elevated system privileges or modify other skills.