Skillv1.0.0

ClawScan security

Ai Video Editor For Captions · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 6:46 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (cloud video captioning) matches most of its instructions, but there are a few inconsistencies and minor privacy/network concerns you should understand before installing.
Guidance: This skill appears to genuinely call a cloud backend to generate and burn-in captions, which explains the NEMO_TOKEN and the network endpoints. Before installing: 1) Verify you trust the domain (mega-api-prod.nemovideo.ai / nemovideo.ai) and their privacy policy — your videos will be uploaded to that service. 2) Ask the author whether the anonymous token or session_id is persistently written to disk (e.g., ~/.config/nemovideo/) or stored only in-memory; prefer ephemeral tokens if you have privacy concerns. 3) Clarify the registry-vs-SKILL.md mismatch about required config paths. 4) If you need stronger guarantees, avoid providing a long-lived NEMO_TOKEN and prefer using a short-lived anonymous token or an account token you can revoke. If you are uncomfortable with automatic outbound auth/network calls or unknown third-party hosting of your media, do not install.

Review Dimensions

Purpose & Capability: noteName/description align with cloud-based captioning and the SKILL.md directs requests to a nemovideo.ai backend, which is expected. However the SKILL.md's frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata above the file listed no required config paths — this mismatch should be clarified.
Instruction Scope: concernInstructions routinely send user video and metadata to https://mega-api-prod.nemovideo.ai (upload, SSE, render). That is coherent for a cloud render service, but the skill also instructs the agent to automatically create anonymous tokens and to detect install paths (e.g., ~/.clawhub/, ~/.cursor/skills/) and read this file's frontmatter for attribution headers. Detecting install path implies filesystem checks beyond simply handling an uploaded video; automatic anonymous token generation means the agent will make outbound auth/network calls if NEMO_TOKEN isn't present.
Install Mechanism: okNo install spec and no code files — instruction-only. This minimizes disk-write/install risk.
Credentials: noteOnly one environment variable (NEMO_TOKEN) is declared, which is appropriate for an API-backed service. However the SKILL.md behavior (generating/storing anonymous token, storing session_id, and frontmatter reference to a config path) implies the skill may persist tokens or session state to a config location; the registry-level metadata contradicted the SKILL.md on required config paths. Confirm where tokens/sessions are stored and how long-lived they are.
Persistence & Privilege: okalways:false and normal autonomous invocation. The skill uses session tokens that can orphan cloud render jobs if you close the UI, but it does not request permanent platform privileges.