Skillv1.0.0

ClawScan security

Clideo Add Music · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 9:54 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions align with its stated purpose (cloud-based video music overlay) and request only a single service token; nothing appears disproportionate or unrelated.
Guidance: This skill will upload your video and audio files to a third-party service (mega-api-prod.nemovideo.ai) and needs a NEMO_TOKEN to authorize operations. If you don't provide a token it will request an anonymous token from that service for limited free credits. Before installing, consider: (1) Do you trust the nemovideo.ai service to handle any private video/audio you upload? (2) If you have an account, prefer supplying your own NEMO_TOKEN so you control credentials and billing; otherwise the skill will create a short-lived anonymous token. (3) The skill is instruction-only (no install scripts), reducing install-time risk, but it will perform network uploads — avoid sending sensitive material unless you accept that risk. (4) If you stop using the skill, revoke or rotate any tokens you supplied. If you want extra assurance, ask the skill author for the service's privacy/retention policy or test with non-sensitive sample videos first.

Review Dimensions

Purpose & Capability: okThe skill claims to add music/exports videos via a cloud rendering backend and all declared requirements (NEMO_TOKEN, nemovideo API endpoints, optional config path) are consistent with that purpose. No unrelated cloud providers, OS-level binaries, or extra credentials are requested.
Instruction Scope: okSKILL.md instructs the agent to upload files, create a session, stream events, poll state, and export — all within the nemovideo API surface. It does not direct the agent to read unrelated user files, secrets, or system configuration beyond detecting install path and reading the skill frontmatter. It explicitly instructs not to expose tokens or raw API output.
Install Mechanism: okNo install spec or code files are present (instruction-only), so nothing is downloaded or written to disk during install — this is the lowest-risk pattern for install mechanism.
Credentials: okOnly a single environment credential (NEMO_TOKEN) is declared as required and used. The skill can also acquire an anonymous token from the same service if none is present, which is coherent with its cloud-backed design. The metadata lists an optional config path for nemovideo; this is plausible for storing tokens or settings.
Persistence & Privilege: okThe skill is not forced always-on (always:false) and does not request system-wide privileges or to modify other skills. Autonomous invocation is allowed by default (normal for skills) but not combined with other high-risk requests.