Skillv1.0.0

ClawScan security

Video Create Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 22, 2026, 4:23 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested credentials, endpoints, and runtime instructions are consistent with a cloud video-generation integration, but there are small inconsistencies and privacy considerations you should understand before installing.
Guidance: This skill appears to do what it says: it talks to a remote video-generation API, uploads user-supplied media, creates sessions, streams progress, and returns a download URL. Before installing: (1) Note the source/homepage is unknown — consider the trustworthiness of the service. (2) The skill will use NEMO_TOKEN (or request an anonymous token itself) which authorizes uploads and render jobs — do not upload sensitive or private files. (3) Clarify the config path discrepancy (~/.config/nemovideo/) and whether the agent will read/write files under your home directory or only use lightweight install-path detection for a header. (4) The skill requires sending headers that include the skill name/version — this leaks which skill/version is in use to the service. If you are comfortable with those privacy tradeoffs and the remote domain (mega-api-prod.nemovideo.ai), the skill's requests appear proportionate to its purpose. If you need higher assurance, ask the publisher for a homepage/source and confirmation about the config-path behavior and exact filesystem access.

Review Dimensions

Purpose & Capability: noteName/description (create videos from images/prompts) match the instructions and API endpoints (upload, render, credits). One inconsistency: the registry metadata listed no required config paths, but the SKILL.md frontmatter metadata declares a config path (~/.config/nemovideo/). This is likely benign but should be clarified.
Instruction Scope: noteSKILL.md stays within the expected scope (establish session, upload files, stream SSE, poll render state). It also instructs the agent to auto-acquire an anonymous token if NEMO_TOKEN is absent and to auto-detect an 'install path' to set X-Skill-Platform — that implies reading an install path or environment to choose a header value. Reading an install path is minor scope creep compared with the core purpose; confirm the agent will only access lightweight metadata and not arbitrary user files.
Install Mechanism: okNo install spec and no code files — instruction-only skill. No binaries or archive downloads are requested, so there is low installation risk.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared, which is proportional for a third‑party video API. The skill will also obtain an anonymous token itself via a network call if none is present. The frontmatter's config path (~/.config/nemovideo/) is declared in SKILL.md but was not listed in the registry metadata — clarify whether the agent will read or write that path. Also note the required Authorization header gives the service access to uploaded files and render jobs; avoid sending sensitive documents.
Persistence & Privilege: okalways is false and there is no install-time persistence or modification of other skills. The skill uses network calls and sessions but does not request elevated persistent privileges in the agent.