Back to skill
Skillv1.0.0
ClawScan security
Video Maker Cartoon Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 4:57 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (creating cartoon videos) aligns with its runtime instructions and requested credential (NEMO_TOKEN); minor metadata inconsistencies and privacy considerations are noted but do not indicate intentional misdirection.
- Guidance
- This skill appears to do what it says: it uploads your images/text to a remote rendering service (mega-api-prod.nemovideo.ai) and returns a rendered video. Before installing, consider: (1) Privacy — your images and scripts will be sent to that external service, so don't upload sensitive content. (2) Token handling — the skill will use NEMO_TOKEN if present, otherwise it will request an anonymous token from the provider and may persist session/token state under ~/.config/nemovideo/ (the registry metadata and the skill frontmatter disagree on config paths — ask the author to clarify). (3) Revocation — know how to revoke the token/anonymous access with the provider if you stop using the skill. (4) Verify the domain and service reputation if you have concerns about data handling. If you need higher assurance, request the skill author to: explicitly document where tokens are stored, how long they last, and provide an option to opt out of persisting tokens to disk.
Review Dimensions
- Purpose & Capability
- okThe skill is a cloud-backed video rendering tool and requests a single service token (NEMO_TOKEN), which is consistent with needing authenticated access to a remote rendering API. Nothing in the instructions requires unrelated credentials or system-level access.
- Instruction Scope
- noteSKILL.md instructs the agent to create sessions, upload user files, stream SSE responses, and poll render status on the external API — all expected for a cloud render workflow. It also tells the agent to generate an anonymous token by POSTing to the provider's auth endpoint when NEMO_TOKEN is not present, and to 'auto-setup' on first use. These behaviors imply network communication and likely storage of session/token state; the instructions do not ask for unrelated files or secrets. Be aware that user-supplied images and scripts will be transmitted to the external service.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code to write to disk, which is the lowest-risk install profile.
- Credentials
- noteOnly one credential is required (NEMO_TOKEN) — appropriate for accessing the remote API. The skill's frontmatter also lists a config path (~/.config/nemovideo/) which suggests the agent may persist tokens or session state; the registry metadata provided separately did not list this config path, creating a small inconsistency that should be clarified.
- Persistence & Privilege
- noteThe skill is not set to always:true and does not request elevated platform privileges. However, the frontmatter-configured config path implies the skill may store files (tokens/session state) under ~/.config/nemovideo/; this is plausibly needed but the registry metadata mismatch should be resolved so the user knows where data will be written.