Skillv1.0.0

ClawScan security

List Of Free Video Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 4:22 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud-based video-generation service: it only needs a single service token and routes uploads/requests to nemovideo.ai, with no local install or unrelated credentials requested.
Guidance: This skill uploads any text or files you give it to a third-party backend (mega-api-prod.nemovideo.ai) and either uses a provided NEMO_TOKEN or creates a short-lived anonymous token for you. Before installing or using it, consider: 1) Privacy — do not upload sensitive or proprietary media if you don't trust the service; 2) Token handling — the token grants the service session/rendering access, so treat it as sensitive; you can supply your own token instead of relying on the anonymous flow; 3) Retention and billing — anonymous tokens have limited credits/validity (noted in instructions), but check the service's privacy/retention terms if available; 4) No local install or unrelated credentials are required, so the skill's scope is limited to remote video processing. If you need confidentiality or organizational controls, avoid uploading sensitive content or use an approved internal tool instead.

Review Dimensions

Purpose & Capability: okName/description (generate videos from text/images) align with the declared requirement (NEMO_TOKEN) and the SKILL.md which describes remote rendering endpoints and file uploads. The declared config path (~/.config/nemovideo/) and primaryEnv NEMO_TOKEN are appropriate for a remote video service.
Instruction Scope: noteInstructions confine actions to the nemovideo.ai API (auth, session creation, uploads, SSE, render/poll). They direct the agent to auto-obtain an anonymous token if none provided and to store session_id for requests. This is expected, but it does mean user files and text are uploaded to a third-party service — users should be aware of privacy implications. Instructions do not ask the agent to read unrelated local files or other environment variables.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest-risk installation surface. Nothing is downloaded or written to disk by an installer.
Credentials: okOnly a single service credential (NEMO_TOKEN) and an optional config path are required. The SKILL.md also supports auto-creating a short-lived anonymous token if none is provided, which reasonably explains the declared env var. No unrelated secrets or cloud credentials are requested.
Persistence & Privilege: okSkill does not request always:true, does not modify other skills or system config, and has no install step. Autonomous invocation is allowed by default (platform normal), but the skill itself does not demand elevated persistence or system-wide changes.