Skillv1.0.0

ClawScan security

Making Video Hd Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 8:09 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with its stated purpose (upscaling/uploading videos to a remote rendering API), but there are a few minor metadata inconsistencies and privacy considerations you should review before use.
Guidance: This skill uploads your video files to a third-party rendering service (https://mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN (or will generate a short-lived anonymous token). Before installing or using it, consider: 1) privacy—your footage and any embedded sensitive content will be sent to and processed by that remote service; 2) verify the service owner, terms, and data retention policy (no homepage or source given here); 3) clarify the config-path discrepancy (~/.config/nemovideo/ is mentioned in the SKILL.md metadata but not in registry metadata); 4) avoid using sensitive or regulated footage until you confirm the provider's policies; and 5) confirm that your agent implementation will not log or leak NEMO_TOKEN values (the skill instructs not to print tokens, but you should verify logs/telemetry). If you need stronger assurances, ask the skill author for a privacy policy, source code, or an official homepage before proceeding.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform remote AI video upscaling and its only required credential is NEMO_TOKEN, which matches that purpose. One inconsistency: the SKILL.md frontmatter metadata lists a config path (~/.config/nemovideo/) while the registry metadata reported earlier said no required config paths — this mismatch should be clarified.
Instruction Scope: noteThe instructions are prescriptive and stay within the upload→session→render workflow against the nemo API. They explicitly instruct generating an anonymous token (if none provided), creating a session, streaming SSE messages, uploading files (multipart with local file paths or URLs), polling renders, and returning download URLs. This requires sending user video files and metadata to a third-party API (mega-api-prod.nemovideo.ai); that is expected for the stated purpose but is a privacy and data-exfiltration consideration the user must accept. The instructions do not request unrelated system files or additional credentials.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself. That minimizes installation risk.
Credentials: noteOnly NEMO_TOKEN is declared as required (primaryEnv), which is proportionate for a remote service. However, the SKILL.md metadata references a config path (~/.config/nemovideo/) not present in registry metadata — clarify whether local config access is required. Also note the skill may generate and use short-lived anonymous tokens if no NEMO_TOKEN is provided.
Persistence & Privilege: okThe skill is not set to always: true and uses normal autonomous invocation default. It does not request elevated system persistence or modify other skills' configs in the provided instructions.