Back to skill
Skillv1.0.0
ClawScan security
From Video Openapi · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 6:01 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a remote video-processing API: it asks for a single service token (NEMO_TOKEN), uploads user-provided video files to a remote endpoint, and describes the expected API calls and error handling; nothing in the instructions requests unrelated credentials or system access.
- Guidance
- This skill appears to do what it says: it uploads videos and interacts with nemo's API using NEMO_TOKEN (or an anonymously obtained token). Before installing or using it, consider: (1) privacy — your videos and any metadata will be sent to mega-api-prod.nemovideo.ai; don't upload sensitive content unless you trust the provider and their terms; (2) token handling — provide your own NEMO_TOKEN if you want control over account access, and confirm whether the skill reads ~/.config/nemovideo/ on your system; (3) attribution headers — the skill will send X-Skill-Source and related headers on requests which may reveal usage context; (4) confirm retention and billing policies (the skill mentions credits, 7-day anonymous tokens, and potential subscription gates). If you need stricter guarantees about data residency or credentials, request more details from the publisher before enabling.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (remote video processing/export) aligns with the declared primary credential (NEMO_TOKEN) and the API endpoints in SKILL.md. Minor inconsistency: the registry metadata reported no required config paths, but the SKILL.md frontmatter lists ~/.config/nemovideo/ as a config path; this is plausibly used to find stored tokens but should be clarified.
- Instruction Scope
- okSKILL.md confines actions to: checking NEMO_TOKEN, optionally obtaining an anonymous token from the provider, creating a session, uploading user-supplied media, and polling/rendering via the provider's API. It does not instruct arbitrary file reads or unrelated environment access. Important behavior: user videos and metadata are sent to an external service (mega-api-prod.nemovideo.ai) — this is expected for the stated purpose but has privacy implications.
- Install Mechanism
- okInstruction-only skill with no install steps and no code files — lowest-risk install footprint.
- Credentials
- noteOnly NEMO_TOKEN is required (primaryEnv). The skill also details how to obtain an anonymous token if NEMO_TOKEN is absent, which is consistent with the service flow. The SKILL.md frontmatter referencing a config path (~/.config/nemovideo/) is reasonable if used to locate stored credentials, but registry metadata omitted that — clarify whether the skill will read that file path.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent system privileges. It creates and uses session tokens for API calls (normal for remote services). It does not instruct altering other skills or system-wide settings.