Skillv1.0.0

ClawScan security

Free Video Script Writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 12, 2026, 1:22 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared requirements and runtime instructions mostly match its video-generation purpose, but there are inconsistencies (required env var vs. auto-generated anonymous token) and some filesystem/network behavior that the user should review before installing or using it.
Guidance: This skill will send uploaded videos and prompts to an external API (mega-api-prod.nemovideo.ai) and will create or store a session token for subsequent requests. Before installing or using it: 1) Verify you trust the nemovideo.ai domain and review its privacy/terms for uploaded media; 2) Prefer supplying your own NEMO_TOKEN if you have one rather than letting the skill fetch and store an anonymous token; 3) Ask where tokens/session IDs will be stored (file path/permissions) and whether they are persisted beyond 7 days; 4) Be aware the skill probes install paths on disk to set headers—if you’re uncomfortable with that, avoid installing or run the skill in an isolated environment. The metadata/instructions mismatch (declared required env var vs. auto-creation) is not obviously malicious but is a red flag worth clarifying with the skill author or registry before trusting it with sensitive content.

Review Dimensions

Purpose & Capability: noteThe skill claims to render videos via a Nemo backend and only lists NEMO_TOKEN as a required credential, which is appropriate. However, metadata lists NEMO_TOKEN as required while the SKILL.md explicitly instructs the agent to obtain an anonymous token automatically if no NEMO_TOKEN is present — this mismatch between declared requirements and the runtime flow is inconsistent.
Instruction Scope: concernInstructions perform network calls to a third-party API (mega-api-prod.nemovideo.ai), upload user files, create/store session tokens, and detect install paths on disk to set X-Skill-Platform headers. Uploading user media and storing tokens is expected for this skill, but automatic token acquisition and filesystem probing (detecting ~/.clawhub/ or ~/.cursor/skills/) expand the agent's scope. The SKILL.md also advises not displaying raw tokens but does not specify secure storage locations or retention policy.
Install Mechanism: okNo install spec or code files are present; this is an instruction-only skill. That minimizes disk writes and executable installs, so the install mechanism itself poses low risk.
Credentials: noteOnly NEMO_TOKEN is declared as required, which is proportional to the stated purpose. The metadata also requests a config path (~/.config/nemovideo/) which aligns with storing session state. The main concern is that the skill will auto-generate and store a token if one isn't provided — users should confirm where that token is stored and whether they prefer to supply their own token.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It does request persistence of session_id/token within its own config path, which is reasonable for a session-based API but should be validated by the user.