nova-video Security Report — Low Risk | ClawSafe

20 /100

nova-video

Generate images or videos using the Nova Video OpenAPI with a single sentence

This is a legitimate Nova Video API skill with minor documentation issues - hardcoded example API key placeholders in setup instructions, but no actual credential theft or malicious behavior.

Skill Namenova-video

Duration32.0s

Enginepi

✓

Safe to install

Replace the hardcoded example API key with a clear placeholder indicator (e.g., 'nv_sk_YOUR_KEY_HERE') and add a prominent warning that users must supply their own key. Otherwise, the skill is safe for use.

Findings 2 items

Severity	Finding	Location
Low	Hardcoded API key placeholders in documentation Doc Mismatch SKILL.md contains example API key strings ('nv_sk_xxx...' and 'nv_sk_your_key_here') in the setup instructions. While these appear to be placeholders (not real credentials), displaying key-like strings in docs is a documentation anti-pattern that could confuse users about proper credential handling. `export NOVA_API_KEY="nv_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"` → Replace with a clearly labeled placeholder format like 'nv_sk_YOUR_KEY_HERE' and add a comment stating 'Replace with your actual API key from the dashboard'	`SKILL.md:39`
Low	Redundant placeholder key in error handling section Doc Mismatch Line 57 repeats the 'nv_sk_your_key_here' placeholder in the instructions for users who don't have an API key. `export NOVA_API_KEY="nv_sk_your_key_here"` → Use consistent placeholder formatting and add a visual warning box distinguishing example values from user-specific configuration	`SKILL.md:57`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md:45-50 - curl POST to nova-video.onesolo.app
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:45-50 - curl commands for API calls are declared
Filesystem	`NONE`	`NONE`	—	No file operations detected
Environment	`READ`	`READ`	✓ Aligned	SKILL.md:38 - Reads NOVA_API_KEY and NOVA_BASE_URL
Skill Invoke	`NONE`	`NONE`	—	No skill invocation detected
Clipboard	`NONE`	`NONE`	—	No clipboard access detected
Browser	`NONE`	`NONE`	—	No browser access detected
Database	`NONE`	`NONE`	—	No database access detected

2 High 6 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="nv_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

SKILL.md:39

🔑

High API Key 疑似硬编码凭证

API_KEY="nv_sk_your_key_here"

SKILL.md:57

🔗

Medium External URL 外部 URL

https://nova-video.onesolo.app/SKILL.md

SKILL.md:19

🔗

Medium External URL 外部 URL

https://clawhub.ai

SKILL.md:26

🔗

Medium External URL 外部 URL

https://nova-video.onesolo.app

SKILL.md:40

🔗

Medium External URL 外部 URL

https://nova-video.onesolo.app**

SKILL.md:51

File Tree

1 files · 12.1 KB · 369 lines

Markdown 1f · 369L

└─ 📝 SKILL.md Markdown 369L · 12.1 KB

Security Positives

✓ Uses environment variables (NOVA_API_KEY) for credential management - good security practice

✓ Declares all network activity (curl to nova-video.onesolo.app) in documentation

✓ Single-purpose skill focused on image/video generation via OpenAPI

✓ No access to sensitive files (~/.ssh, ~/.aws, .env, etc.)

✓ No obfuscation techniques (base64, eval, etc.)

✓ No credential harvesting or data exfiltration behavior

✓ No reverse shell, C2, or persistence mechanisms

✓ Clear error handling for API authentication failures

Scan Report

Findings 2 items

File Tree

Security Positives