Skillv1.0.0

ClawScan security

Ai Video For Product Marketing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 4:48 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality matches its description (cloud-based video rendering) and it only needs a service token, but there are provenance and metadata inconsistencies and the runtime instructions imply reading install/config paths and sending your files to an external API with no homepage or source — you should verify before installing or sending sensitive assets.
Guidance: This skill appears to do what it says (upload your images/video to a remote render service), but there are a few red flags: 1) the skill will transmit your media and a session token to mega-api-prod.nemovideo.ai — there is no homepage or source given, so verify the service's owner, terms, and privacy before uploading sensitive content; 2) SKILL.md metadata mentions a config path and asks to derive an attribution header from the agent's install path (which would require the agent to inspect filesystem paths) — ask the author what exact file/path access is needed and why; 3) prefer using an anonymous token (the skill supports creating one) rather than placing a long-lived NEMO_TOKEN in your environment if you don't trust the service; 4) request the skill's source or provider contact and a privacy/Data Processing Addendum if you'll upload customer or proprietary assets. If you cannot validate the backend or the maintainer, do not upload sensitive or regulated assets.

Review Dimensions

Purpose & Capability: noteThe skill name/description (create product promo videos) aligns with the required credential (NEMO_TOKEN) and the API endpoints described. However, the SKILL.md metadata lists a configPaths entry (~/.config/nemovideo/) and uses install-path-based attribution headers even though the registry metadata reported no config path requirements — this mismatch is unexplained.
Instruction Scope: concernThe instructions send uploaded files and session information to https://mega-api-prod.nemovideo.ai for rendering (expected for this purpose), but the SKILL.md also requires adding attribution headers whose value is derived from the agent's install path (e.g., checking ~/.clawhub/ or ~/.cursor/skills/). Determining that header may require reading filesystem/install paths not declared in the registry, and all user media will be transmitted to an external endpoint whose ownership and privacy policy are not provided in the skill metadata.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — low installation risk (nothing is written to disk by an install step).
Credentials: noteOnly one env var (NEMO_TOKEN) is required, which is appropriate for a remote API. But SKILL.md also references a config path (~/.config/nemovideo/) in metadata and instructs deriving X-Skill-Platform from install paths; these imply additional filesystem access or metadata collection that wasn't declared as a requirement.
Persistence & Privilege: okThe skill has default invocation settings (not always:true) and no install-time persistence. It does not request elevated or permanent presence.