Skillv1.0.0

ClawScan security

Video Creator Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 5:50 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match a remote video-rendering service, but there are small inconsistencies (declared config path present in the SKILL.md but not in registry metadata) and it will upload your files and auto-create tokens on an external domain — review before use.
Guidance: This skill appears to really call an external video-rendering backend and will upload whatever images/clips you give it. Before installing or using it: (1) Confirm the service domain (mega-api-prod.nemovideo.ai) is trustworthy and read its privacy policy — sensitive images will leave your device. (2) Decide whether to provide your own NEMO_TOKEN rather than allowing the skill to auto-request an anonymous token. (3) Ask the author to clarify the config-path discrepancy: SKILL.md frontmatter lists ~/.config/nemovideo/ but the registry metadata did not — find out whether tokens or session IDs will be persisted to disk and where. (4) If you need stricter privacy, avoid uploading private media to this service. If you want me to, I can extract the exact API calls and headers the skill will use so you can review them or run them manually.

Review Dimensions

Purpose & Capability: noteThe skill's name/description describe remote video creation and the runtime instructions call a remote video-render backend (upload endpoints, render/start/export APIs) — this is coherent. Minor incoherence: the registry metadata lists no required config paths, but the SKILL.md frontmatter declares a required config path (~/.config/nemovideo/). That mismatch should be clarified (is the skill going to read or write that path?).
Instruction Scope: okSKILL.md instructs only remote API calls (auth, session creation, file upload, SSE streaming, render polling) and handling their responses. Those actions are within the stated purpose. It does automatically acquire an anonymous token if NEMO_TOKEN is not present and directs the agent to store session_id for future requests; these are expected for a remote service but users should be aware files and metadata will be transmitted off-device.
Install Mechanism: okNo install spec and no code files (instruction-only). This is low-risk from an installation perspective — nothing is written to disk by an installer here (though the runtime may upload files and persist session ids).
Credentials: noteOnly one credential is required (NEMO_TOKEN) which matches the service's Authorization header usage. Proportional overall. Note: SKILL.md also lists a config path in its frontmatter; the registry listing omitted this. Confirm whether the skill will read/write ~/.config/nemovideo/ and whether tokens or session ids are persisted there.
Persistence & Privilege: okalways is false and the skill is normal user-invocable/autonomous. The skill instructs storing session_id for requests, which is normal. There is no instruction to modify other skills or global agent configuration.