Skillv1.0.0

ClawScan security

Format Converter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 11:56 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-based video conversion tool; it uploads user videos to nemo's API and uses a single service token (NEMO_TOKEN), so the main user decision is whether you trust that external service with your files.
Guidance: This skill is coherent for cloud video conversion, but it WILL upload any files you give it to https://mega-api-prod.nemovideo.ai. Before using: (1) confirm you're comfortable sending your videos to that service (privacy/sensitivity), (2) consider creating or supplying your own NEMO_TOKEN if you want control over the account used, (3) be aware the skill may read its own frontmatter and detect install paths for attribution headers, and (4) note the minor metadata inconsistency about a config path in the SKILL.md frontmatter — it's likely packaging noise but worth confirming with the publisher if you need guarantees. If any of that is unacceptable, don't install/use the skill.

Review Dimensions

Purpose & Capability: noteThe name/description (convert videos to MP4) matches the declared API endpoints and flows in SKILL.md. Requesting a NEMO_TOKEN and using nemo video endpoints is coherent. Minor inconsistency: the skill's YAML frontmatter (inside SKILL.md) lists a configPaths value (~/.config/nemovideo/) while the registry metadata earlier says Required config paths: none — this mismatch is a packaging/information inconsistency but not evidence of malicious behavior.
Instruction Scope: noteSKILL.md instructs the agent to (a) check for NEMO_TOKEN and, if missing, obtain an anonymous token from nemo's auth endpoint, (b) create sessions, (c) upload user files (multipart or URL), and (d) poll for render results via SSE or polling. These actions align with the stated purpose. Notable behaviors: the agent will send user video files to an external API (mega-api-prod.nemovideo.ai), will read the skill's own frontmatter to set attribution headers, and will detect install path to populate X-Skill-Platform — these are expected for attribution but do require reading some local paths/metadata.
Install Mechanism: okNo install spec and no code files (instruction-only). This is the lowest-risk install model — nothing is automatically downloaded or written to disk by an installer.
Credentials: noteOnly one credential is declared (NEMO_TOKEN) and it is the primary credential used for API calls. The skill will obtain an anonymous token automatically if NEMO_TOKEN is absent; requiring a single service token is proportionate for a cloud conversion service. Users should understand that providing NEMO_TOKEN or using the anonymous token allows the service to receive/upload their video data.
Persistence & Privilege: okalways is false and there is no install-time persistence. The skill does not request ability to modify other skills or system-wide agent settings. Autonomous invocation is allowed (the platform default) but not combined with other concerning privileges.