Skillv1.0.0

ClawScan security

Video Generator Free No Sign · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 10:54 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill’s behavior mostly fits a cloud video-renderer, but there are multiple inconsistencies (declared required env/config vs. runtime behaviour, hidden token acquisition, and an unknown external backend) that warrant caution before installing or uploading content.
Guidance: This skill appears to be a front-end for a cloud video-renderer and will upload your images/audio to https://mega-api-prod.nemovideo.ai. Before installing or using it: (1) be aware your media and metadata leave your device; do not upload sensitive or confidential content. (2) The skill claims NEMO_TOKEN is required yet also auto-creates anonymous tokens — clarify whether the platform will force you to provide secrets or allow anonymous issuance. (3) There is no homepage or source listed and the metadata has inconsistencies (config path present only in SKILL.md). If you need stronger assurance, ask the publisher for a privacy policy, source repo, or an explanation of token storage/rotation and where session tokens are persisted. If you proceed, prefer using non-sensitive test files and monitor network requests or tokens the skill creates.

Review Dimensions

Purpose & Capability: concernThe skill’s stated purpose (cloud video generation) matches the network endpoints and actions in SKILL.md, but registry metadata and SKILL.md disagree: the registry listed no config paths while the SKILL.md frontmatter declares a config path (~/.config/nemovideo/). Also the registry marks NEMO_TOKEN as required, yet SKILL.md documents auto-provisioning an anonymous token if none is present — these mismatches are incoherent and unclear.
Instruction Scope: concernRuntime instructions instruct the agent to obtain/store an auth token, create a session, upload user files (up to 200MB), stream SSEs, and poll render status against https://mega-api-prod.nemovideo.ai. Uploading user media to an external service is expected for a video generator, but the SKILL.md explicitly tells the agent to auto-fetch a token and to “Don't display raw API responses or token values to the user,” which could hide sensitive debug/credential info. The doc also describes detecting install paths to set headers, implying the agent may read filesystem paths for context. Overall the scope is broad but largely consistent with video creation — the main issues are the secrecy around token handling and the filesystem/config path references.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer; that reduces installation risk. Network calls described in SKILL.md are the primary runtime surface.
Credentials: noteOnly NEMO_TOKEN is declared as the required credential, which is proportionate for an external video API. However, the SKILL.md both checks for NEMO_TOKEN and describes how to auto-acquire an anonymous token via the service’s /anonymous-token endpoint, making the declared 'required' env var ambiguous. The metadata also lists a config path not reflected in the registry's 'required config paths', another inconsistency.
Persistence & Privilege: okThe skill does not request 'always: true' and does not declare changes to other skills or system-wide settings. It does ask to store a session_id for continued requests (normal for session-based APIs) but does not request elevated platform privileges.