Skillv1.0.0

ClawScan security

Free Viral Title Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 12:01 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill claims to be a 'title generator' but its runtime instructions perform full video upload/rendering to an external API and request an API token — the scope and data access go beyond what the name/description imply.
Guidance: This skill will upload your video and related metadata to a third-party API (mega-api-prod.nemovideo.ai) and may create or use an API token (NEMO_TOKEN) for that service. Before installing or using it: 1) Treat it as a service that sends your files off-device — don't upload sensitive or private videos. 2) If asked, prefer using an anonymous starter token for testing rather than placing a permanent token in your environment. 3) The skill's name implies 'title suggestions' but the runtime behavior includes full cloud rendering and file transfers — verify you want that functionality. 4) There is no homepage or provenance info; consider testing with non-sensitive sample files and look up the service domain and privacy policy externally before trusting it with real content.

Review Dimensions

Purpose & Capability: concernThe skill's name/description emphasize generating viral titles, but the SKILL.md documents a full cloud render pipeline (video uploads, track edits, SSE chat, render/export endpoints and 1080p MP4 downloads). Requiring media upload, render jobs, and session management is much broader than a simple 'title suggestion' tool and may surprise users.
Instruction Scope: concernRuntime instructions direct the agent to upload user video files (up to 500MB) and poll/render on a remote service at https://mega-api-prod.nemovideo.ai. The agent is told to create sessions, include Authorization headers, handle SSE streams and poll exports. This involves transmitting potentially sensitive user media and metadata to an external endpoint — behavior not obvious from the skill's name alone. The SKILL.md does not instruct reading unrelated local files, but it does suggest detecting install/config paths and sending attribution headers on every request.
Install Mechanism: okThis is instruction-only with no install spec and no code files, so nothing is written to disk by an installer here. That reduces the risk from arbitrary installs.
Credentials: noteOnly a single API credential (NEMO_TOKEN) is declared — which is reasonable for calling an external API. The skill also provides a fallback to request an anonymous token from the service if no NEMO_TOKEN is present; that means the agent will perform network requests to obtain credentials on the fly. The metadata also references a config path (~/.config/nemovideo/) which may indicate the skill expects stored tokens or settings — users should verify why that path is needed.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated platform-wide privileges. It is user-invocable and allowed to run autonomously by default (normal for skills). It does not declare writing/modifying other skills or system-wide settings.