Back to skill
Skillv1.0.0
ClawScan security
Upsampler Free Ai Video Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 12, 2026, 5:17 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and required credential (NEMO_TOKEN) are coherent with a cloud video-generation service, but there are small metadata inconsistencies and a couple of details you should verify before trusting it with sensitive data.
- Guidance
- What to check before installing: 1) The skill calls https://mega-api-prod.nemovideo.ai and uses a NEMO_TOKEN (it can also request an anonymous token). Only supply an API token if you trust that service; prefer a token scoped/limited to this purpose. 2) The SKILL.md frontmatter references ~/.config/nemovideo/ even though the registry metadata did not — ask the publisher whether the skill will read that directory (it may be used to find local stored tokens). 3) The skill includes attribution headers that may include platform/install-path info; if you want not to reveal local paths, ask how those headers are constructed and whether they can be omitted. 4) Avoid uploading sensitive, private video material until you verify the service's privacy policy and the domain's reputation. If you need higher assurance, request the publisher to provide concrete provenance (homepage, source repository) and to resolve the configPaths metadata mismatch.
Review Dimensions
- Purpose & Capability
- noteThe name/description claim cloud video generation; the SKILL.md instructs exactly the API calls, uploads, SSE, and render workflow you would expect. Requiring NEMO_TOKEN (and supporting an anonymous-token fallback) is consistent with that purpose. However, the skill's YAML frontmatter advertises a config path (~/.config/nemovideo/) while the registry metadata reported earlier listed no required config paths — this mismatch is unexplained and worth checking.
- Instruction Scope
- okRuntime instructions stay within the domain of talking to the remote nemovideo API, creating sessions, uploading media, and polling renders. The skill asks the agent to include and manage session tokens and to handle SSE streams — all expected for this functionality. There are no instructions to read arbitrary unrelated system files, shell history, or to exfiltrate unrelated data.
- Install Mechanism
- okThis is instruction-only (no install spec, no code files), so nothing is written to disk by an install step. That is the lowest-risk install mechanism.
- Credentials
- noteOnly one credential (NEMO_TOKEN) is required, which matches a backend API. The frontmatter also references a config path (~/.config/nemovideo/) that could contain stored tokens or user data; the registry metadata earlier claimed no config paths. This inconsistency could be innocent (outdated metadata) but increases the risk that the skill expects to read local config for tokens — confirm whether the skill will read that path and why before installing.
- Persistence & Privilege
- okThe skill does not request always: true and does not ask to modify other skills or system-wide settings. It uses normal agent-invocation privileges (autonomous invocation allowed by default).