Skillv1.0.0

ClawScan security

Free Video Highlight Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 4:23 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (cloud video highlight extraction) broadly matches the API calls it instructs, but the instructions include automatic token generation/storage, hidden responses, and implicit filesystem probing (install-path/config-paths) that are not strictly necessary and raise privacy/scope concerns.
Guidance: This skill will upload your videos to an external service (mega-api-prod.nemovideo.ai) and requires an API token (NEMO_TOKEN). If you don't provide one it will automatically request an anonymous token and instruct the agent to store session data and hide raw API responses from you. Before installing, consider: 1) Do you trust nemovideo.ai with potentially sensitive video content? 2) Where will tokens/session IDs be stored (memory vs filesystem)? The metadata references ~/.config/nemovideo/ and the skill asks the agent to detect install paths — you may want to confirm whether it will read or write files in your home directory. 3) Prefer setting NEMO_TOKEN yourself rather than allowing automatic token creation, and ask the provider about data retention and deletion. If you cannot verify the service's privacy policy or token storage behavior, treat this skill cautiously or avoid sending private videos.

Review Dimensions

Purpose & Capability: noteThe skill is a cloud-based highlight extractor and all primary network calls (upload, render, export, credits) point to a single external service (nemovideo.ai), which is coherent with the stated purpose. However the metadata lists a config path (~/.config/nemovideo/) and the instructions ask the agent to derive an X-Skill-Platform header by detecting install paths; probing those filesystem locations is not required for core highlight extraction and is an unnecessary expansion of scope.
Instruction Scope: concernRuntime instructions tell the agent to automatically connect to the backend on first use, generate an anonymous token if NEMO_TOKEN is missing (via POST to mega-api-prod.nemovideo.ai), store session_id for future requests, and explicitly instruct the agent not to display raw API responses or token values to the user. They also direct the agent to set attribution headers derived from install path detection. Automatic credential creation/storage, hidden API output, and implicit filesystem probing are scope creep relative to simply uploading a video for processing and reduce user visibility into where credentials and data go.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installation step. That lowers install-time risk. The security surface is entirely the runtime instructions and network calls.
Credentials: noteOnly a single credential (NEMO_TOKEN) is declared as required and is the primaryEnv, which is proportionate for a service that requires authenticated API calls. However, the skill instructs generating an anonymous token automatically if none is present and later storing session/token values (storage location unspecified), and the metadata references a config path (~/.config/nemovideo/). It's unclear whether tokens/session data are kept transiently in memory or persisted to the user's filesystem/config; that ambiguity increases risk.
Persistence & Privilege: noteThe skill does not set always:true and does not request elevated platform-wide privileges. It does request that the agent 'store the returned session_id' and to detect install paths to populate an attribution header — these require some persistence or filesystem access but are limited in scope. The instructions to hide token and API responses reduce transparency about that persistence.