Skillv1.0.0

ClawScan security

Free Prompt Generator Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 1:37 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-backed video prompt/rendering helper that uses a single service token (NEMO_TOKEN) and the described nemo API endpoints.
Guidance: This skill appears to do what it says, but it sends your uploaded media and prompts to an external service (mega-api-prod.nemovideo.ai). Before installing or invoking it: 1) Decide whether you trust that external service with any video/audio or metadata you upload — sensitive footage or confidential audio should not be uploaded unless the service's privacy policy and security posture meet your requirements. 2) Understand that if you don't supply NEMO_TOKEN the skill will request an anonymous token from the service and use it (it will create a UUID and POST to the anonymous-token endpoint). 3) The frontmatter lists a config path (~/.config/nemovideo/) and the runtime guidance implies detecting an install path for attribution headers — confirm whether the agent will read local paths or config files; if you want to avoid that, restrict the skill's file/config access. 4) There is no install-time code, so risk from local code execution is low, but runtime network traffic and file uploads are the primary risk. 5) If you have concerns, ask the skill owner for their privacy policy, or run the skill in an environment where uploads are safe (e.g., non-sensitive test media).

Review Dimensions

Purpose & Capability: okName/description (generate video prompts and render/export MP4) match the declared primary credential (NEMO_TOKEN) and the API endpoints described in SKILL.md. No unrelated credentials or unrelated binaries are requested.
Instruction Scope: noteSKILL.md stays within the stated purpose: creating sessions, uploading media, streaming SSE, starting exports and polling state. It explicitly sends uploaded user media to the external nemovideo endpoints. Two minor scope notes: (1) frontmatter metadata lists a configPaths entry (~/.config/nemovideo/) but the runtime instructions do not describe reading or writing that path (a small mismatch); (2) the skill asks callers to auto-detect 'install path' for X-Skill-Platform, which implies the agent may inspect its runtime/install path to populate an attribution header.
Install Mechanism: okNo install spec or files are installed (instruction-only). This minimizes disk-write/install risk.
Credentials: noteOnly a single credential (NEMO_TOKEN) is required and is consistent with the described service. The skill will also obtain an anonymous token by POSTing to the service if NEMO_TOKEN is absent. Consider whether you want the agent to acquire/use anonymous tokens automatically. The configPaths entry in metadata is unexplained and could allow reading a user config if implemented.
Persistence & Privilege: okSkill is not always-on, does not request elevated platform privileges, and does not attempt to modify other skills or global agent settings in the instructions.