Back to skill
Skillv1.0.0
ClawScan security
Game Music Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 28, 2026, 7:24 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared inputs and runtime instructions mostly match its stated purpose (upload video, call a remote rendering API) but there are small inconsistencies and scope creeps (config-path metadata mismatch and instructions to probe install path) that you should understand before installing or running it.
- Guidance
- This skill generally does what it says: it uploads user video/audio to a third-party API and returns rendered MP4s, and it needs a NEMO_TOKEN or will obtain a short anonymous token. Before installing or using it: 1) Confirm you trust the endpoint (mega-api-prod.nemovideo.ai) and review its privacy/terms — your uploaded footage will be sent off-device. 2) Be aware the skill may read the agent's install path and possibly a local config path (~/.config/nemovideo/) for attribution headers; ask the author why that filesystem access is needed and whether anything from those paths is transmitted. 3) If you will upload sensitive game footage or PII, avoid using anonymous tokens and verify data retention/usage with the service. 4) If you want stronger assurance, request the author publish the skill source or clarify the apparent metadata inconsistency (registry says no config paths but SKILL.md lists one) and whether any local files are read or tokens stored.
Review Dimensions
- Purpose & Capability
- okThe skill claims to generate music-scored game videos and its instructions call a single remote service (mega-api-prod.nemovideo.ai) to upload footage, create sessions, stream SSE edits, and request renders. Requiring a NEMO_TOKEN (API token) is proportionate to that purpose.
- Instruction Scope
- concernThe SKILL.md instructs the agent to read environment variable NEMO_TOKEN (expected) and, if missing, to obtain an anonymous token from the remote API. It also requires adding attribution headers and 'detecting' the install path to set X-Skill-Platform (reading the agent's install path is filesystem probing beyond just calling the API). The frontmatter metadata also references a config path (~/.config/nemovideo/) even though registry metadata lists none. These filesystem/config probes are scope creep relative to simple upload/render functionality and should be clarified.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files. That is the lowest-risk install mechanism — nothing is written to disk by an installer step.
- Credentials
- noteThe skill declares a single required secret (NEMO_TOKEN), which is reasonable for a remote API. However the SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) and instructs detection of install path for attribution headers; that suggests additional local information may be read at runtime even though it is not declared in the registry's required config paths.
- Persistence & Privilege
- okalways is false and the skill does not request persistent privileges. It will transmit uploaded user media to the external service (expected for the feature) but does not request to modify other skills or system-wide configuration in the instructions provided.