Skillv1.0.0

ClawScan security

Generator Capcut · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 4:41 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (cloud video editing) matches most of its instructions, but there are metadata inconsistencies, missing provenance (no homepage/source), and it instructs the agent to upload user videos and acquire/use tokens—behavior you should verify before trusting with private content.
Guidance: This skill appears to do what it claims (upload your video to a cloud renderer), but there are a few reasons to be cautious: 1) There is no homepage or source repository to verify the service and its privacy/security practices. 2) The SKILL.md will upload your media to a third-party endpoint and can obtain and store an anonymous NEMO_TOKEN if none is provided — if your videos are sensitive, do not use this with private content. 3) Registry metadata and the SKILL.md disagree about config paths (SKILL.md references ~/.config/nemovideo/) — ask the author to explain and provide a privacy/retention policy and source code. Recommended steps before installing: test with non-sensitive sample videos, request the service's privacy policy and retention/deletion API, prefer supplying your own token if you have one, and ask the publisher for a homepage or repository to confirm legitimacy.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform cloud video editing and its runtime instructions describe uploading clips, creating sessions, streaming SSE, and starting renders on a remote API (mega-api-prod.nemovideo.ai) — these actions are coherent with the stated purpose. However, registry metadata and the SKILL.md disagree: the top-level registry says no required config paths while the SKILL.md frontmatter lists a config path (~/.config/nemovideo/). Also there is no homepage or source repository listed, making it hard to verify the backend/service.
Instruction Scope: okThe SKILL.md focuses on network interactions with the named backend, token handling, uploads, SSE streaming, polling render status, and response translation. It does not (in the visible portion) instruct reading unrelated local files or environment variables beyond NEMO_TOKEN. These actions stay within editing/export scope, but they do involve sending user media and metadata to a third-party service.
Install Mechanism: okInstruction-only skill with no install spec or code files — lowest install risk. The runtime relies on the agent performing HTTP requests and uploads rather than installing binaries.
Credentials: noteOnly NEMO_TOKEN is declared as required (primaryEnv), which is appropriate for a cloud API. However, the SKILL.md also documents a self-service anonymous-token flow (POST to /api/auth/anonymous-token) that will create and store a token if NEMO_TOKEN is missing — raising the question of why NEMO_TOKEN is mandatory in registry metadata. The SKILL.md frontmatter also references a config path (~/.config/nemovideo/) that the registry metadata omitted.
Persistence & Privilege: okSkill does not request always:true and is user-invocable; it instructs maintaining per-session session_id and tokens for the duration of operations, which is normal for a remote-rendering integration. No instructions (in the visible content) to modify other skills or global agent settings.