Skillv1.0.0

ClawScan security

Maker Fast · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 6:05 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (uploading user videos to an external rendering API and creating session tokens) is coherent with its video-editing purpose, but there are provenance and metadata inconsistencies and some vague instructions that warrant caution before installation.
Guidance: This skill behaves like a cloud video-rendering service: it will upload your footage to https://mega-api-prod.nemovideo.ai, create sessions, and return download URLs. Before installing, verify the publisher and the service domain (there's no homepage or public source listed). Consider these points: - Privacy: your raw videos will be sent to a third-party server. Don’t upload sensitive or private footage unless you trust the provider and understand retention/processing policies. - Credentials: the skill expects NEMO_TOKEN (or will obtain an anonymous token). Only provide a token if you trust the service; anonymous tokens have limited credits and will expire. - Metadata mismatch: SKILL.md mentions a local config path (~/.config/nemovideo/) not listed in the registry metadata — ask the publisher whether the skill will read local files or write configs. - Header behavior: the skill asks the agent to derive X-Skill-Platform from install paths; that could reveal local path information. Confirm what local metadata the skill will access. - Provenance: no homepage/source is provided. If you need stronger assurance, request the skill's source, privacy/TOS, or an official domain/owner identity before using it with sensitive data. If you proceed, test with non-sensitive footage first and monitor network activity and any account/credit links the skill provides.

Review Dimensions

Purpose & Capability: noteThe skill's declared purpose—cloud-based fast video creation—matches the described network actions (uploading footage, creating render jobs, polling status). However there's a metadata mismatch: the registry lists no required config paths, but the SKILL.md frontmatter claims a config path (~/.config/nemovideo/) which is not reflected in the registry metadata. The unknown source/homepage also reduces confidence in the publisher.
Instruction Scope: concernRuntime instructions direct the agent to obtain/use a bearer token, POST file uploads and SSE streams to a third-party API, create sessions, and poll render status. These actions are expected for a cloud render service, but the doc also tells the agent to 'detect' install path to set X-Skill-Platform (potentially requiring access to local install paths) and to keep technical details out of chat. The instructions are prescriptive about headers and error handling; they are somewhat vague about how to detect install paths or whether local config (~/.config/nemovideo/) should be read, which grants the agent discretionary access that isn't fully justified in the metadata.
Install Mechanism: okInstruction-only skill (no install spec, no code files). This minimizes disk-write/install risk.
Credentials: noteThe skill requires a single credential (NEMO_TOKEN) which is proportional for a cloud API. It also documents an anonymous-token flow so it can operate without a pre-provided token. The SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) while the registry shows none — this inconsistency should be clarified. No other unrelated secrets are requested.
Persistence & Privilege: okThe skill is not forced-always, has no install steps, and does not request exceptional platform privileges. It will create transient cloud sessions and jobs, which is expected. No evidence it modifies other skills or system settings.