Skillv1.0.0

ClawScan security

Video Maker For Free Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 6:45 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud video-rendering service (it needs a service token, uploads media, and talks to a remote API), but it will obtain/use a token and upload files to a third-party endpoint so you should review privacy and trust before using.
Guidance: This skill appears to do what it says: it will call a third‑party API (mega-api-prod.nemovideo.ai), upload any media you provide, and manage an anonymous service token (valid 7 days) and session_id for rendering. Before installing or using it, make sure you trust that remote service with the files you will upload (do not upload sensitive personal or proprietary media). If you prefer more control, set NEMO_TOKEN manually rather than letting the skill fetch an anonymous token, and ask the agent not to read local config paths or reveal stored tokens. Also confirm retention/processing policies with the service owner since the skill will send your media and metadata to an external API.

Review Dimensions

Purpose & Capability: okThe skill claims to create/export videos via a cloud backend and only requests a single service credential (NEMO_TOKEN) and a related config path (~/.config/nemovideo/). Those requirements are consistent with a cloud rendering service that needs an API token and may store session/config data locally.
Instruction Scope: noteRuntime instructions direct the agent to obtain an anonymous token (POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token) if NEMO_TOKEN isn't set, create a session, upload user files, and poll for render status. This is expected for the described functionality, but the skill also instructs detecting the agent's install path for attribution headers (reading paths like ~/.clawhub/ or ~/.cursor/skills/) and asks to 'store' session_id without specifying secure storage. Those behaviors expand scope into filesystem reads and local state persistence and should be acknowledged.
Install Mechanism: okNo install spec and no code files (instruction-only). This is low-risk from an installation perspective because nothing is downloaded or written by the skill on install.
Credentials: noteOnly NEMO_TOKEN is declared as required (primaryEnv). That aligns with a cloud API. The metadata also lists a config path (~/.config/nemovideo/) which implies the skill may read local configuration files; the SKILL.md further instructs detecting install paths for attribution. Those filesystem accesses are plausible but could expose local config if present — confirm what will be read before granting access.
Persistence & Privilege: okThe skill does not request 'always: true' and uses normal autonomous invocation. It instructs persisting a session_id for subsequent API calls (expected for session-based APIs). It does not ask to modify other skills or global agent settings.