Skillv1.0.0

ClawScan security

Ai Animation Software · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 5:00 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches an online animation service (uploads, render jobs, tokens), but minor inconsistencies and the unknown source mean you should review privacy/credentials and the external API before installing.
Guidance: This skill appears to be a straightforward cloud-based animation client, but take these precautions before installing/use: - Privacy: The skill uploads user files (images, video, audio) to https://mega-api-prod.nemovideo.ai. Do not upload sensitive personal data or proprietary media unless you trust the service and its policies. - Credentials: It requires an API token (NEMO_TOKEN). If you supply a personal token, it grants the service access tied to that account. If you let the skill generate an anonymous token, that token is created by the remote API and used for rendering (100 free credits, 7-day expiry per the docs). - Unknown source: The skill has no homepage and an unknown owner. Verify the nemovideo.ai domain reputation and the service's privacy/terms before sending important content or account tokens. - Metadata vs instructions: The metadata lists a config path (~/.config/nemovideo/) even though SKILL.md doesn't explain reading or writing it — ask the author why this is needed and what will be stored there. - Attribution headers: The skill will include X-Skill-Source/X-Skill-Version/X-Skill-Platform headers which reveal the skill and platform; consider whether that leakage is acceptable. If you decide to proceed: prefer using a disposable/anonymous token for testing, avoid uploading sensitive media, and confirm the API's privacy/retention policy. If you need greater assurance, request the maintainer's identity, a homepage, or source code for review.

Review Dimensions

Purpose & Capability: noteName/description match the runtime instructions: the SKILL.md describes uploading media, creating sessions, streaming edits, and exporting MP4s via a cloud API. Requested credential (NEMO_TOKEN) is appropriate for an API-backed animation service. However, the metadata declares access to a config path (~/.config/nemovideo/) that the instructions never clearly justify, which is a small mismatch.
Instruction Scope: noteInstructions explicitly direct the agent to upload user files and stream commands to https://mega-api-prod.nemovideo.ai, create sessions, poll render status, and persist session tokens. All of these are coherent with an online rendering service. Important privacy/security behavior: user media and any data provided in prompts will be transmitted to an external domain. The skill also instructs the agent to include attribution headers that reveal platform/version info. Nothing in the instructions instructs reading unrelated host files or unrelated environment variables.
Install Mechanism: okNo install step or downloaded code — instruction-only skill — so nothing is written to disk by an installer.
Credentials: noteOnly NEMO_TOKEN is required, which fits an API client. The SKILL.md also instructs the agent how to obtain an anonymous token via the API if NEMO_TOKEN is absent (consistent fallback). The minor concern is the metadata's configPaths entry (~/.config/nemovideo/) which implies the skill may read or write a local config directory (not documented in the runtime instructions); that access wasn't justified by the description.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request elevated platform privileges or claim to modify other skills. It will store session tokens and session_id for the rendering workflow (expected for this use-case).