Skillv1.0.0

ClawScan security

Free Video Generation Api Key · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 8:53 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, required credential (NEMO_TOKEN), and external API usage are consistent with its stated purpose of generating videos via the nemo video backend, with only minor metadata inconsistencies and expected network/data-transmission risks.
Guidance: This skill appears coherent for generating videos via the nemo backend, but it will upload your prompts and media to https://mega-api-prod.nemovideo.ai and may auto-create an anonymous NEMO_TOKEN if you don't supply one. Before installing/using: (1) confirm you trust the domain/service and are okay with uploading any media you provide, (2) avoid sending sensitive or private files you wouldn't want stored/processed by a third party, (3) ask the skill author whether the anonymous token or session_id are persisted to disk (and where — SKILL.md mentions a config path in frontmatter but registry metadata lacks that), and (4) verify quota/credit implications if you plan heavy use. If you need stronger assurance, request the skill author's homepage/source or network/privacy policy before proceeding.

Review Dimensions

Purpose & Capability: okName/description (video generation) match the required credential (NEMO_TOKEN) and the SKILL.md's documented calls to a nemo video service (mega-api-prod.nemovideo.ai). Requiring a service token for an API-based video generator is proportionate.
Instruction Scope: noteSKILL.md describes only API calls, SSE handling, uploads, and export flows to the documented backend; these actions are within the stated purpose. Notes: the instructions include auto-provisioning an anonymous token (by POSTing to /api/auth/anonymous-token) when NEMO_TOKEN is absent, and require adding attribution headers and auto-detecting an 'install path' for X-Skill-Platform — the latter may be brittle for an instruction-only skill but is not inherently malicious. The skill will transmit user-provided media and prompts to an external service, which is expected but should be considered for privacy.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. All runtime behavior is network calls described in SKILL.md.
Credentials: noteOnly NEMO_TOKEN is declared as required/primary, which aligns with the API. The skill also documents acquiring an anonymous NEMO_TOKEN when none exists (100 free credits, 7-day expiry). Minor inconsistency: the top-level registry metadata reported no required config paths, but SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) — this mismatch is not necessarily dangerous but should be clarified.
Persistence & Privilege: okalways:false and default autonomous invocation settings. The skill does not request persistent system privileges and does not include install-time modifications. It does instruct to retain session_id for ongoing operations, which is normal for an API client.