ClawHub
Back to skill
v1.0.1

neo-ai

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:30 AM.

Analysis

This appears to be a legitimate Neodomain media-generation skill, but it uses an account token and uploads user-selected media to cloud services.

GuidanceBefore installing, confirm you trust the skill owner and Neodomain service. Keep NEODOMAIN_ACCESS_TOKEN private, avoid exposing it in shared logs or chats, and only upload prompts, images, audio, or videos that you are comfortable sending to an external cloud API.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
metadata
Source: unknown
Homepage: none

The artifact metadata does not provide a source repository or homepage for independent provenance review.

User impactUsers have less external context for verifying who maintains the skill or where updates come from.
RecommendationInstall only if you trust the ClawHub listing/owner, and review updates before continuing to use the stored token.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/login.py
print(result.get("authorization")) ... print(f'export NEODOMAIN_ACCESS_TOKEN="{result.get("authorization")}"')

The authentication helper prints the Neodomain access token so the user can place it in an environment variable.

User impactAnyone who can see the terminal, chat transcript, or logs containing this token may be able to use the user's Neodomain account or credits.
RecommendationOnly run the login flow in a trusted session, avoid sharing transcripts that contain the token, and rotate the token if it is exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
scripts/batch_video.py
with open(local_file, 'rb') as f:
        bucket.put_object(remote_path, f, headers={'Content-Type': content_type})

The batch video workflow uploads user-selected local storyboard images to an external OSS bucket before generating videos.

User impactPrivate storyboard images or other media placed in the selected directory may leave the local machine and be stored or processed by Neodomain/OSS services.
RecommendationUse this only with media you are comfortable uploading to the provider, and review provider retention/sharing policies for sensitive content.