Skillv1.0.0

ClawScan security

Text To Video Hindi Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 7:47 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill broadly matches its stated purpose (convert Hindi text to video) but contains metadata/instruction inconsistencies (required token vs. anonymous token flow, config path mention) and will upload user files to an external service — verify the remote service and token handling before use.
Guidance: This skill appears to do what it says (convert Hindi text to videos) and will send uploaded content to https://mega-api-prod.nemovideo.ai for processing. Before installing or providing a NEMO_TOKEN: 1) Confirm you trust nemovideo.ai (privacy, retention, and sharing of uploaded media). 2) Ask the author why NEMO_TOKEN is marked required when the runtime can request an anonymous token — this affects whether the skill ever needs your private token. 3) Note the skill will upload user files (TXT/DOCX/PDF/SRT) — do not use it with sensitive content unless you’ve verified the backend. 4) If you want extra caution, test the skill with non-sensitive content first and/or avoid setting a persistent NEMO_TOKEN in your environment. 5) Request missing provenance (homepage or official repo) from the publisher; lack of a known source lowers trust. If you can get answers to the token and config-path inconsistencies, that will increase confidence.

Review Dimensions

Purpose & Capability: noteThe skill's name and instructions match its purpose (text→video, uploads, SSE render). However the registry metadata declares NEMO_TOKEN as required while the runtime SKILL.md provides an anonymous-token fallback if NEMO_TOKEN is missing; that mismatch is unexplained. The SKILL.md frontmatter also mentions a config path (~/.config/nemovideo/) not present in the top-level registry data — another metadata inconsistency.
Instruction Scope: okRuntime instructions are specific and limited to the video service: create/validate a token, create a session, upload files, SSE for generation, poll render status, and download results. The only slightly broadened behavior is 'auto-detect' X-Skill-Platform by reading an install path (implies inspecting environment/install location) — otherwise no instructions ask the agent to read unrelated local files or credentials.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code to write to disk, which is the lowest-risk install model.
Credentials: noteThe skill asks for one credential (NEMO_TOKEN), which is reasonable for a cloud video API. But SKILL.md shows it can obtain an anonymous token via a public endpoint if NEMO_TOKEN is absent — so declaring NEMO_TOKEN as strictly required is inconsistent. Frontmatter also references a config path (~/.config/nemovideo/) not declared elsewhere; clarify whether the skill will read that path.
Persistence & Privilege: okalways:false and no install-time persistent modifications are requested. The skill can be invoked autonomously by the agent (default), which is normal; there is no request to modify other skills or system-wide settings.