Skillv1.0.0

ClawScan security

Bing Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 4:49 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud video-compile service: it only needs a service token (NEMO_TOKEN), uploads user-provided video, and talks to the nemo video API — there are minor metadata inconsistencies but no evidence of unrelated credential access or suspicious install behavior.
Guidance: This skill appears to do what it says: it uploads video clips to a nemo-video cloud service, uses a bearer token (NEMO_TOKEN) or automatically obtains a 7-day anonymous token, and returns rendered download URLs. Before installing, consider: (1) you will be uploading video files to https://mega-api-prod.nemovideo.ai — don't upload sensitive or private footage unless you trust the operator; (2) the skill will send whatever NEMO_TOKEN you provide to that domain as Authorization: Bearer — ensure the token's scope is limited; (3) clarify the metadata inconsistency about a local config path (~/.config/nemovideo/) so you know whether local token/config files might be read or written; (4) there's no source/homepage listed for the skill — if provenance matters, ask the publisher for a homepage, privacy policy, or contact info before using.

Review Dimensions

Purpose & Capability: noteThe skill name/description (cloud video search + compile) aligns with the runtime instructions that upload clips, create a session, run SSE-based edits, and request exports from https://mega-api-prod.nemovideo.ai. Requiring a NEMO_TOKEN and an anonymous-token fallback is coherent for a hosted service. Note: the SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this is an internal inconsistency (likely harmless) that should be clarified.
Instruction Scope: okSKILL.md stays within the stated scope: it instructs creating/using a service token, creating a session, uploading video files, issuing edits via SSE, polling export status, and returning download URLs. It does not instruct reading unrelated system files or other environment variables. It does recommend treating some tool outputs as internal and not forwarding them to the chat, which is reasonable for internal API events but merits awareness.
Install Mechanism: okThis is instruction-only with no install spec or code files, so nothing is written to disk or downloaded by the skill itself — lowest-risk install posture.
Credentials: noteOnly one credential is required: NEMO_TOKEN (declared as primary). That matches the described behavior (Bearer token sent to the nemo API). The skill also documents an anonymous-token flow that generates a temporary token if none is present — expected but worth noting because the skill will obtain and use a token automatically if you don't supply one. The SKILL.md frontmatter lists a config path; the registry metadata omitted it — clarify whether local config/token files may be read/written.
Persistence & Privilege: okThe skill is not always-enabled and has no install-time persistence. It can be invoked autonomously (platform default) but does not request system-wide config changes or cross-skill credentials.