Skillv1.0.0

ClawScan security

Vidu Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 27, 2026, 5:48 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions mostly match its stated purpose (remote AI video generation); only minor inconsistencies and implementation notes were found but nothing that contradicts the claimed functionality.
Guidance: This skill is coherent with a cloud video generation service: it will contact mega-api-prod.nemovideo.ai, upload media, and use/obtain a short-lived NEMO_TOKEN if you don't provide one. Before installing, consider: (1) privacy — uploaded images/videos and prompts are sent to a third‑party service; avoid sensitive content, (2) token handling — the skill may obtain and store a 7‑day anonymous token for you, so ask where that token/session is stored if you need persistence control, (3) clarify the config path: the SKILL.md references ~/.config/nemovideo/ but registry metadata didn't list it — confirm whether the skill will read/write files there, and (4) review the service's privacy/terms on the provider domain if possible. If you need higher assurance, request the author to resolve the configPath mismatch and to confirm whether tokens/session data are only kept in ephemeral agent state or written to disk.

Review Dimensions

Purpose & Capability: okName/description (AI video generation) align with requested network endpoints and the single credential NEMO_TOKEN. The skill's API calls, upload endpoints, and render flow are coherent with a cloud video-rendering service.
Instruction Scope: noteSKILL.md instructs the agent to obtain an anonymous token if NEMO_TOKEN is absent, create sessions, upload files, stream SSE, poll job status, and include attribution headers by reading the skill frontmatter and detecting install path. Those actions are expected for this service, but the skill also declares a config path (~/.config/nemovideo/) in its YAML frontmatter while the registry metadata lists no required config paths — a minor inconsistency to clarify. Instructions explicitly tell the agent not to display raw tokens/responses, which is appropriate.
Install Mechanism: okInstruction-only skill with no install spec or downloaded code. Lowest-risk class: nothing is written to disk by an installer in the package metadata itself.
Credentials: noteOnly one credential (NEMO_TOKEN) is required, which is appropriate for a third‑party API. The skill will also generate an anonymous token automatically if none is provided — reasonable but means the agent will POST to the remote auth endpoint and hold a short-lived token (7 days). The frontmatter's config path (~/.config/nemovideo/) suggests possible optional local storage but registry metadata did not list required config paths; clarify whether the skill will read/write that path.
Persistence & Privilege: okalways:false and normal autonomous invocation. The skill asks to store a session_id for the active session (expected in-memory or agent state) but does not request persistent system-wide privileges or modification of other skills.