Skillv1.0.0

ClawScan security

Unified Video Lyrics Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 12:58 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are generally consistent with a cloud-based video/lyrics rendering service, but there are small metadata inconsistencies and no publisher/homepage that reduce confidence—review the remote endpoint and token use before installing.
Guidance: This skill appears to do what it says: it uploads videos to a remote render service and returns synced-lyrics videos. Before installing or using it, consider: (1) the service endpoint (https://mega-api-prod.nemovideo.ai) will receive your video/audio — confirm you trust the operator and understand the privacy policy; (2) the NEMO_TOKEN grants API access tied to your account or to an anonymous starter token — avoid putting long-lived or highly-privileged credentials here; (3) the frontmatter mentions a local config path (~/.config/nemovideo/) that the registry metadata did not — ask the publisher whether the skill reads local config files; (4) there is no homepage or publisher information listed — prefer skills from known vendors or ask the author for identity and documentation; (5) because this is instruction-only, static scanners had nothing to analyze — network calls and data uploads are performed at runtime, so review endpoints and headers. If you proceed, consider testing with non-sensitive videos and a throwaway/anonymous token first.

Review Dimensions

Purpose & Capability: noteThe name/description match the actions in SKILL.md (upload video, create session, render/export). Requesting a NEMO_TOKEN as the primary credential is appropriate for a hosted service. Minor inconsistency: the top-level registry metadata lists no required config paths, but the skill frontmatter advertises a config path (~/.config/nemovideo/) — this mismatch should be clarified.
Instruction Scope: okInstructions focus on connecting to the remote API, creating sessions, uploading video files, reading SSE events, polling render status, and returning download URLs — all expected for a cloud render/lyrics-sync service. The SKILL.md does not instruct reading unrelated local files or unrelated environment variables.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This is the lowest-risk install mechanism (nothing written to disk by the skill itself).
Credentials: noteOnly a single credential (NEMO_TOKEN) is declared and used, which is proportionate. However, the frontmatter references a local config path (~/.config/nemovideo/) which was not declared elsewhere in registry metadata; if the skill actually reads that path at runtime it would expand its scope and should be disclosed. The skill also instructs emitting attribution headers derived from install path detection (reading install path metadata) — minor but worth noting.
Persistence & Privilege: okThe skill is not forcing persistent inclusion (always:false) and does not request elevated system privileges. It does not instruct modifying other skills or system-wide config. Autonomous invocation remains allowed (platform default) but does not combine here with other high-risk flags.