Back to skill
Skillv1.0.0
ClawScan security
Ai Video Maker Free Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 10, 2026, 9:09 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions largely match its stated purpose (creating videos via a remote API), but there's a small metadata inconsistency to verify before trusting it with credentials or sensitive files.
- Guidance
- This skill appears to do what it says: it connects to a nemo-video API, creates sessions, uploads user-supplied media, and returns rendered MP4s. Before installing: 1) Verify you trust the API domain (https://mega-api-prod.nemovideo.ai) and the skill publisher because the package has no homepage or code files. 2) Be cautious with NEMO_TOKEN: it grants access to the remote service; do not reuse highly privileged credentials. 3) Ask the publisher or maintainer to clarify the metadata mismatch about ~/.config/nemovideo/ (will the skill read local config files?). 4) Avoid uploading sensitive personal data or files you wouldn't want sent to an external service. If you cannot confirm the endpoint/publisher, do not install or use the skill with real/privileged credentials.
Review Dimensions
- Purpose & Capability
- okName/description describe remote AI video rendering. The only declared credential (NEMO_TOKEN) and the API endpoints in SKILL.md are consistent with a cloud video-rendering service; no unrelated services, binaries, or broad system access are requested.
- Instruction Scope
- noteRuntime instructions stay within the video-rendering domain (create session, upload files, SSE for edits, poll render status). They instruct the agent to POST uploads and messages to the nemo API and to store session_id/token for subsequent calls. One concern: SKILL.md frontmatter lists a config path (~/.config/nemovideo/) in its metadata, which suggests the skill might read local config files, but the registry metadata provided with the skill states 'Required config paths: none' — this mismatch should be clarified.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is lower-risk from an installation perspective.
- Credentials
- okThe skill only requires a single service credential (NEMO_TOKEN), which is appropriate for a service-backed video renderer. The SKILL.md also documents how to obtain an anonymous token if none is present. Confirm whether the skill will access the optional config path (~/.config/nemovideo/) before installing.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated platform privileges. It instructs the agent to store session tokens/ids for the service, which is normal for a remote API client and limited to its own session data.