Skillv1.0.0

ClawScan security

Free Jesus Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 5:49 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions largely match its stated purpose (calling a nemo video render API and uploading user media), but there are small inconsistencies you should be aware of before installing.
Guidance: This skill is coherent with its stated purpose: it will upload media you provide to a third‑party API (mega-api-prod.nemovideo.ai) and use a NEMO_TOKEN to authenticate. Before installing: 1) Confirm you trust nemovideo.ai with any media you upload (privacy, copyright, and religious-sensitivity implications). 2) Prefer using the anonymous token flow if you don't want to provide a long‑lived NEMO_TOKEN; do not store sensitive credentials in NEMO_TOKEN. 3) Ask the skill author to clarify the manifest mismatch (SKILL.md frontmatter references ~/.config/nemovideo/ while registry metadata did not); if you are uncomfortable with the skill reading that config path, deny that access. 4) Monitor any prompts asking to read additional local files or other environment variables — those would be out of scope and should be rejected. If you want higher assurance, request the author to publish the skill source or a minimal privacy/security statement showing exactly what local paths/credentials the skill will access.

Review Dimensions

Purpose & Capability: noteThe name/description match the runtime instructions: the SKILL.md exclusively describes calls to mega-api-prod.nemovideo.ai for session creation, SSE-based generation, upload, and export. Requiring a NEMO_TOKEN credential is reasonable for this cloud video service. One mismatch: the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata shown to you lists no required config paths — this is an inconsistency in the manifest (could be harmless bookkeeping or an omitted requirement).
Instruction Scope: noteInstructions confine actions to the nemovideo API (session creation, SSE, upload, render/polling). It explicitly requires uploading user-supplied media (multipart files or URLs) to the remote service — that is expected but important privacy surface. The skill also asks to auto-detect install path for X-Skill-Platform header and may read local file paths when uploading (e.g., multipart -F "files=@/path"). There are no instructions to read unrelated system files or other credentials, but the presence of a config path in frontmatter suggests it may also look in ~/.config/nemovideo/ for saved credentials — that should be clarified.
Install Mechanism: okNo install spec or code is present; this is instruction-only and won't write code to disk during install. That minimizes local-install risk.
Credentials: noteOnly one env var is declared as required: NEMO_TOKEN (primary credential). That is proportional for a cloud API client. However, the SKILL.md also references a config path (~/.config/nemovideo/) in its frontmatter which was not reflected in the registry-level required config paths — a manifest mismatch. The skill documents a fallback to create an anonymous token via an API call (ephemeral token, 7‑day expiry), which reduces the need to provide a long-lived secret.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable; it will create session IDs and use tokens for remote jobs but does not ask for elevated or persistent platform privileges. It may store session state for job polling, which is expected for this functionality.