Skillv1.0.0

ClawScan security

Ai Video Pro Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 1:39 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior generally matches a cloud video-editing plugin, but there are inconsistencies (metadata vs registry) and practices (automatic token issuance/storage, filesystem detection) that merit caution before installing.
Guidance: This skill appears to be a straightforward cloud video editor, but there are a few things to check before installing: - Clarify the config-path inconsistency: SKILL.md's metadata references ~/.config/nemovideo/ while the registry metadata lists no required config paths. Ask the author where tokens and session data will be stored and whether the skill will write files under that path. - Token handling: the skill will auto-request an anonymous NEMO_TOKEN from mega-api-prod.nemovideo.ai if none is present. Confirm you trust that backend and its operator before allowing automatic token creation or persistent storage. If you prefer control, pre-set NEMO_TOKEN yourself instead of allowing auto-provisioning. - Privacy and data retention: uploading videos to an unknown backend can expose sensitive content. Confirm the provider's privacy policy / terms and whether uploaded footage is retained, inspected, or used for model training. - Attribution headers & environment detection: the skill inspects install paths to set X-Skill-Platform and sends X-Skill-Source headers. If you prefer not to leak environment details, ask the author to allow opt-out or to avoid adding install-path-derived headers. - No install code present: because this is instruction-only, there was nothing for static scanning. That makes runtime behavior (HTTP calls, token storage) the main surface to review — consider testing with non-sensitive sample clips and a disposable account/token first. If these questions are unanswered or you cannot verify the backend/operator, treat this skill as higher-risk and avoid granting it persistent tokens or writing permissions on your machine.

Review Dimensions

Purpose & Capability: noteName/description align with cloud video editing and the only declared credential (NEMO_TOKEN) is reasonable for an API-backed editor. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata earlier states no required config paths — this mismatch is an incoherence that should be resolved (is the skill expected to read/write that directory?).
Instruction Scope: noteRuntime instructions stay within video-upload, SSE, session management and exports. They do instruct the agent to: auto-generate an anonymous token if NEMO_TOKEN is missing, create/store a session_id, and detect install path to set X-Skill-Platform headers — all of which require reading/writing environment and filesystem state. The instructions do not ask the agent to read unrelated user files or unrelated credentials, but the install-path detection and implied token storage expand scope beyond simple API calls.
Install Mechanism: okInstruction-only skill with no install spec or code files — lowest risk class for installation mechanism. There is no remote download instruction in the SKILL.md.
Credentials: concernThe skill only declares a single credential (NEMO_TOKEN) which fits the use-case. However SKILL.md implies creating/storing anonymous tokens and references a config directory (frontmatter) that the registry did not declare. Automatic token acquisition and persistence (unclear where/how long tokens/sessions are stored) increases risk if tokens are written to disk or reused across contexts. Also the skill's source and backend domain (mega-api-prod.nemovideo.ai) are not documented elsewhere (no homepage), so it's unclear who controls the tokens and how they're protected.
Persistence & Privilege: okSkill is not set to always:true and uses normal autonomous invocation. It asks to manage a session and tokens for its own backend but does not request system-wide privileges or modify other skills' configs per the provided instructions.