Back to skill
Skillv1.0.0
ClawScan security
Generation Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 29, 2026, 4:39 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's behavior mostly matches a cloud video-generation tool, but a few internal inconsistencies and metadata/behavioral ambiguities (unknown source, mismatch between declared registry metadata and the SKILL.md frontmatter, and instructions that imply reading install paths) warrant caution before installing.
- Guidance
- This skill behaves like a normal cloud video-generation helper, but exercise caution: the publisher is unknown and there is a mismatch between registry metadata and the SKILL.md frontmatter (SKILL.md mentions a local config path). Before installing, consider: 1) Do you trust mega-api-prod.nemovideo.ai? Review its privacy and data-retention policies because you will upload media (up to 500MB). 2) Use a throwaway/anonymous NEMO_TOKEN if possible (do not reuse sensitive tokens). 3) Confirm how/where the agent will store session_id or tokens (avoid persistent plaintext storage). 4) Be aware the skill may attempt to infer an install path for an attribution header — restrict filesystem access or run in an isolated environment if you don’t want tooling to probe home directories. If you need higher assurance, ask the author for provenance/homepage or prefer a skill from a known publisher.
Review Dimensions
- Purpose & Capability
- okName/description (AI video generation) lines up with the runtime instructions: uploading media, creating sessions, SSE chat, export/render APIs and requiring a service token (NEMO_TOKEN) are all expected for this purpose.
- Instruction Scope
- noteSKILL.md limits actions to service API calls (auth, session creation, upload, SSE, export) which is appropriate. However it also instructs deriving an attribution header from the agent's install path and to 'save session_id' without specifying storage or secure handling — this implies the agent may inspect local paths or persist state, which is broader than the pure “call the API” scope.
- Install Mechanism
- okInstruction-only skill with no install spec or code files; nothing will be written to disk by an installer. This is the lowest install risk.
- Credentials
- noteOnly one credential is declared (NEMO_TOKEN), which is proportional to a cloud service. The SKILL.md also provides a built-in anonymous-token flow (POST to the service) if NEMO_TOKEN is absent. The frontmatter in SKILL.md nevertheless lists a config path (~/.config/nemovideo/) while the registry metadata showed no required config paths — an inconsistency that could indicate the skill expects or will look for local config files.
- Persistence & Privilege
- okalways:false and no indications the skill requests persistent platform-wide privileges. It asks to 'save session_id' but does not demand always-on presence or modification of other skills/configs.