Skillv1.0.0

ClawScan security

Karaoke Video Maker Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 15, 2026, 7:22 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions mostly match a remote video-rendering service, but a few inconsistencies and opaque behaviors (automatic anonymous token issuance, an instruction to hide token/response details, and a mismatched config-path declaration) merit caution before installing.
Guidance: This skill behaves like a remote rendering service: it will upload files you provide to mega-api-prod.nemovideo.ai, obtain or use a NEMO_TOKEN, create sessions, and return rendered video URLs. Things to consider before installing: - Trust: verify you trust the domain (mega-api-prod.nemovideo.ai / nemovideo.ai) before uploading any sensitive audio or other files. If you can't verify the service, don't upload private content. - Token handling: the skill will auto-request an anonymous token if none is present. If you prefer control, set NEMO_TOKEN yourself rather than letting the skill request one automatically. - Hidden responses: the instructions explicitly tell the agent not to display raw API responses or token values; this reduces transparency about what was sent and returned. Ask the publisher why that is necessary and insist on audit/log options if you need them. - Config-path inconsistency: SKILL.md mentions ~/.config/nemovideo/ though registry metadata did not — ask whether the skill will read or write local config files and why. - Least-privilege: avoid uploading any files that contain secrets or private data unless you are comfortable the external service and domain are legitimate. If you need higher assurance, request the publisher's homepage or official repo, or prefer a skill that documents exact local file access and does not hide API responses.

Review Dimensions

Purpose & Capability: noteThe skill's name and description (remote karaoke video rendering) align with the API endpoints and upload/export flows documented in SKILL.md. Requiring a single service token (NEMO_TOKEN) is proportionate. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that the registry metadata did not list; that mismatch should be clarified.
Instruction Scope: concernInstructions direct the agent to obtain an anonymous token automatically (POST to mega-api-prod.nemovideo.ai), create sessions, upload user files (multipart uploads or URL-based), run SSE streams, poll render jobs, and return download URLs — all expected for a remote render service. Two concerning items: (1) the runtime guidance explicitly says 'Don't display raw API responses or token values to the user', which could hide important information about what was sent/returned; (2) the frontmatter references reading an install path to auto-detect platform, implying the agent may access local path/install metadata. These behaviors increase the risk of hidden network activity or opaque handling of credentials.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — it won't write new binaries to disk. That is the lowest-risk install mechanism.
Credentials: noteOnly NEMO_TOKEN is declared as required and is the primary credential, which is appropriate for a remote API service. The SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) not reflected in the registry's required-config list; the skill does not describe why local config access would be needed. No other unrelated secrets are requested.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It describes creating and storing a session token for the duration of the session, which is normal for a remote service integration.