Back to skill
Skillv1.0.0
ClawScan security
Wan Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 8, 2026, 4:19 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are consistent with a cloud video-generation integration; it asks for a single service token and talks only to the nemovideo API, with no installers or unrelated credential requests.
- Guidance
- This skill behaves like a standard cloud video-generation integration: it needs a NEMO_TOKEN (or will obtain an anonymous short-lived token) and will send your prompts and any files you upload to the nemovideo API (mega-api-prod.nemovideo.ai). Before installing, consider whether you trust that third-party service and its privacy/terms; avoid uploading sensitive personal or proprietary files unless you accept they will be transmitted to that service. Note the SKILL.md frontmatter references a local config path (~/.config/nemovideo/) and asks the agent to detect its install path for attribution — this is a minor metadata inconsistency with the registry but not itself malicious. If you want tighter control, create a limited-purpose API token for this skill or refrain from providing sensitive uploads.
Review Dimensions
- Purpose & Capability
- okName/description (WAN AI video generation) align with the runtime instructions and API endpoints (nemovideo/mega-api-prod.nemovideo.ai). Requiring NEMO_TOKEN is appropriate for an API-backed generator and the skill documents session, SSE, upload, export, and credits endpoints that match the stated purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to use NEMO_TOKEN (or obtain a short-lived anonymous token via the service), create sessions, send SSE messages, and upload user files — all consistent with a cloud video service. It also instructs the agent to detect install path for an attribution header and references a config path (~/.config/nemovideo/) in the frontmatter; this is a minor inconsistency with the registry metadata (the registry listed no required config paths). The instructions do involve sending user-provided files and prompts to an external API (expected), so users should expect their uploads and prompts to be transmitted to that third party.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest-risk installation footprint. There is no download/execute/install step that would write arbitrary code to disk.
- Credentials
- noteOnly one environment variable is declared (NEMO_TOKEN) and is used as the primary credential, which is proportional to the service. Note: if NEMO_TOKEN is missing the skill will request an anonymous token from the vendor (100 credits, 7-day expiry). The token grants access to the service and to actions like uploads, generation, export, and credit queries, so treat it like any API key.
- Persistence & Privilege
- okalways:false and no persistent installers or hooks are requested. The skill does direct the agent to store session_id locally during a session (expected) but does not request global agent configuration changes or permanent system privileges.