Skillv1.0.0

ClawScan security

Francais Photo Video Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 11, 2026, 1:10 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a cloud video-rendering purpose, but there are inconsistencies (missing provenance, a config-path mismatch between manifest and registry, and instructions that will transmit user files/tokens to an external API) that merit caution before installing or uploading content.
Guidance: This skill appears to implement a cloud-based French photo→video workflow and will send any images you provide (and an auth token) to https://mega-api-prod.nemovideo.ai. Before installing or using it: 1) Be cautious about uploading sensitive photos (personal, legal, proprietary) because they will leave your machine. 2) Verify the service provenance — there is no homepage or source repo listed; ask the publisher for an official domain, privacy policy, or source code. 3) Note the manifest inconsistency: SKILL.md references ~/.config/nemovideo/ while registry metadata lists no config paths — ask the author why. 4) Treat NEMO_TOKEN like a password; don’t reuse other service credentials here. 5) If you need stronger assurance, request the skill’s source code or an official endpoint confirmation and check their data retention/privacy terms; otherwise consider using an alternative with verifiable provenance.

Review Dimensions

Purpose & Capability: noteThe name/description (cloud French photo→video maker) aligns with the network API endpoints and the single required credential (NEMO_TOKEN). However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — that mismatch is unexpected. Also there is no homepage or source repo listed, so the service provenance is unknown.
Instruction Scope: concernThe instructions direct the agent to upload user-supplied files and manage a session token with the third-party API (mega-api-prod.nemovideo.ai). If NEMO_TOKEN is missing the agent will generate a UUID and obtain an anonymous token from the remote API — i.e., the skill will perform network calls and transmit uploaded files and derived tokens to an external service. The SKILL.md also asks the agent to 'auto-detect' platform from an install path (which could require reading filesystem/install-path info) and to 'keep technical details out of the chat' (which hides operational details from the user). These actions are coherent with the stated purpose but increase privacy/exfiltration risk for uploaded images and metadata.
Install Mechanism: okThere is no install spec and no code files — the skill is instruction-only. That minimizes on-disk installation risk.
Credentials: noteOnly one credential is declared (NEMO_TOKEN) which is appropriate for a hosted API. The SKILL.md behaviour of falling back to an anonymously-provisioned 7-day token is plausible. Still, because uploads (images/audio) will be sent to an external API, users should treat NEMO_TOKEN as sensitive and avoid providing other unrelated credentials. The mismatch between frontmatter configPaths and registry 'no config paths' is noted.
Persistence & Privilege: okThe skill is not marked 'always' and does not request elevated or persistent platform privileges. It does require maintaining a session_id for in-flight jobs, which is normal for a cloud render workflow.