Skillv1.0.0

ClawScan security

Free Photo Video Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 10, 2026, 11:45 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a cloud photo→video service (it asks only for a NEMO_TOKEN and describes appropriate API calls), but there are inconsistencies around declared config paths / install-path detection and the runtime instructions reference reading install/config locations which is disproportionate and worth caution.
Guidance: This skill looks like a typical cloud photo→video API client and only asks for a NEMO_TOKEN, which is expected. Things to check before installing: 1) Confirm you trust https://mega-api-prod.nemovideo.ai (owner/domain) and review its privacy/storage policy — you will be uploading images. 2) Ask the publisher why the SKILL.md lists a config path (~/.config/nemovideo/) and why the skill would probe install paths (~/.clawhub/, ~/.cursor/skills/); if you don’t want local filesystem probing, avoid installing or ask them to remove that behavior. 3) Prefer using an anonymous token (temporary) instead of a long-lived account token if you’re concerned about data retention. 4) Do not upload sensitive images to an unknown service. If the vendor/publisher cannot explain the configPath/install-path checks, treat the skill with caution.

Review Dimensions

Purpose & Capability: noteThe name/description, API endpoints, and the single required env var (NEMO_TOKEN) are consistent with a cloud video-rendering service. However, the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths; this mismatch suggests the skill may expect to read user config files or detect install paths, which is not necessary for basic upload/render functionality.
Instruction Scope: concernInstructions direct the agent to obtain or use NEMO_TOKEN, create sessions, upload files, stream SSE messages, and poll/render — all reasonable for the stated purpose. But the runtime text also instructs detecting an install path (~/.clawhub/, ~/.cursor/skills/) and deriving X-Skill-Platform from it, and references a config path in frontmatter. That implies probing the user's home filesystem/install locations which is beyond what a pure API-based cloud renderer needs. It also tells the agent to save session_id locally (expected) and to include tokens in headers; ensure tokens aren't printed or leaked.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing is written to disk by the skill bundle itself. Lower install surface compared to skills that download or extract archives.
Credentials: noteOnly NEMO_TOKEN is declared as required (primary credential), which aligns with a service that needs bearer auth. The SKILL.md can also generate an anonymous token via the service's anonymous-token endpoint if NEMO_TOKEN is absent. The unexpected mention of configPaths in SKILL.md frontmatter is disproportionate to a simple API client and should be clarified.
Persistence & Privilege: okalways is false and the skill does not request persistent platform-wide privileges. It describes storing a session_id for the session lifecycle (normal). It does not declare modifying other skills or system-wide settings.