Skillv1.0.0

ClawScan security

Ai Videoclip Generator Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 7:43 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a cloud video-generation purpose (it asks for a NEMO_TOKEN and describes API calls) but has internal inconsistencies and instructions that imply filesystem/installation-path inspection that aren't declared — worth clarifying before installing or trusting with files/tokens.
Guidance: Before installing or invoking this skill: 1) Confirm the API domain (mega-api-prod.nemovideo.ai) and review its privacy/retention policy — any images or product photos you upload will be sent to that external service. 2) Understand that the skill will use a NEMO_TOKEN if present, or obtain an anonymous token (100 free credits) — check where tokens are stored and for how long. 3) Ask the publisher to clarify the config-path and install-path behavior: why does the skill need to inspect ~/.clawhub/ or ~/.cursor/skills/ or ~/.config/nemovideo/? If it does, that grants access to local filesystem context beyond just uploaded files. 4) If you will upload sensitive images or proprietary assets, require explicit guarantees (encryption in transit, retention policy, ability to delete content). 5) If these clarifications aren't provided, treat the skill cautiously (avoid using sensitive data) or mark it as untrusted.

Review Dimensions

Purpose & Capability: noteThe name/description match the actions in SKILL.md (remote GPU rendering, uploads, exports). Requesting NEMO_TOKEN as the primary credential is coherent for a hosted API. However the metadata frontmatter lists a config path (~/.config/nemovideo/) and the runtime docs describe deriving X-Skill-Platform by inspecting install paths (~/.clawhub/, ~/.cursor/skills/). The registry metadata at top said 'Required config paths: none' — this mismatch (declared none vs metadata listing) is inconsistent and should be clarified.
Instruction Scope: concernThe instructions direct network calls to https://mega-api-prod.nemovideo.ai for anonymous-token, session creation, upload, and render — expected for the service. But they also require detecting the agent's install path to populate X-Skill-Platform and describe multipart uploads using local file paths (e.g., -F "files=@/path"). That implies the agent will access local filesystem paths and check for directories; those filesystem reads are not declared as required config paths in the registry and may expose more local context than a simple API integration. The instructions also instruct generating and reusing tokens and session IDs; behavior for storing or persisting these is not specified.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This is low-risk from an install vector standpoint because nothing is written to disk by an installer. Runtime behavior (network calls/uploads) is the main surface.
Credentials: noteOnly NEMO_TOKEN is declared as a required environment variable (primaryEnv). That aligns with a cloud API usage. But metadata also references a config path (~/.config/nemovideo/) and the runtime wants to derive install path information; asking for or reading additional local config or paths would be disproportionate unless documented. Confirm whether the skill actually needs access to local config directories before granting broader filesystem access.
Persistence & Privilege: okalways:false and agent-autonomy settings are default; the skill does not request permanent presence or elevated privileges. It describes sessions and tokens but does not explicitly instruct persisting secrets or modifying other skills' configuration. If a runtime implementation stores tokens to disk, that should be disclosed.