Back to skill
Skillv1.0.0
ClawScan security
Video Maker Facebook · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 5:58 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested token, API endpoints, and behavior align with its stated purpose (cloud video rendering); there are no unexplained credentials, installs, or file operations, but the agent will send user files and metadata to an external service and will auto-acquire an anonymous token if none is provided.
- Guidance
- This skill is internally consistent with a cloud video-rendering service, but it will upload whatever images/videos you provide to an external host (mega-api-prod.nemovideo.ai). Consider: 1) Do not upload sensitive or private images unless you trust the service and have read its privacy policy. 2) If you already have a NEMO_TOKEN from the provider, set it in the environment to use your account; otherwise the agent will automatically obtain an anonymous token (100 free credits) by contacting the provider. 3) The skill sends attribution headers and may reveal platform/install metadata — acceptable for functionality but something to be aware of. 4) If you need stronger guarantees about retention or privacy, contact the provider or avoid uploading sensitive content. If you want extra assurance, ask the skill author for the provider's privacy/terms links or test with non-sensitive media first.
- Findings
[no_code_files] expected: The regex scanner had nothing to analyze because this is an instruction-only skill (SKILL.md). No code-level patterns were reported; runtime behavior depends on the agent following the SKILL.md instructions.
Review Dimensions
- Purpose & Capability
- okThe name/description (create Facebook-ready video from images) match the instructions: calling a remote video-rendering API, uploading media, creating sessions, and exporting MP4s. Required env var (NEMO_TOKEN) and declared config path (~/.config/nemovideo/) are coherent with a cloud video service.
- Instruction Scope
- noteInstructions confine actions to the remote API (session creation, SSE messaging, uploads, export polling). They do direct the agent to upload user-provided files and to POST for anonymous tokens if no NEMO_TOKEN exists — this is expected for the service but means user media and some metadata are transmitted to mega-api-prod.nemovideo.ai. The skill also requires specific attribution headers and asks to auto-detect platform/install path; these are not harmful but do reveal some environment/install metadata.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This is low-risk from an install perspective (nothing is written to disk by an installer).
- Credentials
- noteOnly one credential (NEMO_TOKEN) is declared as required, which is proportional for a cloud API. The SKILL.md also describes obtaining an anonymous token when none is set — acceptable but important to note: the agent will make network calls to retrieve that token. The declared config path (~/.config/nemovideo/) is reasonable for storing session/credential data, though the SKILL.md doesn't explicitly describe reading/writing that path.
- Persistence & Privilege
- okalways:false and normal model invocation; the skill does not request elevated or persistent platform privileges and does not modify other skills or system-wide configs per provided instructions.