Skillv1.0.0

ClawScan security

Highlight Editor App · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 2:40 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match its stated purpose (upload video, call a remote render API) and only request a single service token, but there are small inconsistencies in metadata and provenance that warrant caution before installing and using it with sensitive footage.
Guidance: This skill appears to do what it says (upload video to a remote rendering service and return highlights) and only asks for one service token, but exercise caution: 1) The service endpoint is external (mega-api-prod.nemovideo.ai) — any video you upload will leave your device; avoid uploading sensitive or private footage until you trust the service. 2) The package metadata is inconsistent (SKILL.md declares a config path that registry metadata does not); that could be a packaging error but reduces confidence in provenance. 3) There is no source or homepage listed and the owner is an opaque ID — if you need stronger assurance, ask the author for a code repository, privacy/data-retention policy, or a corporate identity. 4) Test first with non-sensitive sample videos and monitor network activity. 5) If you already have a NEMO_TOKEN, prefer using it; do not paste other unrelated credentials. If you require higher assurance, request the skill author to provide source code or a verifiable homepage before using it with real data.

Review Dimensions

Purpose & Capability: noteThe skill claims to produce video highlights via a remote API and the runtime instructions call endpoints on mega-api-prod.nemovideo.ai and require a NEMO_TOKEN — this is coherent. However, the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths; that mismatch is unexplained and suggests packaging inaccuracy or stale metadata.
Instruction Scope: noteSKILL.md instructs the agent to obtain/use NEMO_TOKEN (or acquire an anonymous token), create sessions, upload video files, read SSE streams, poll render status, and return download URLs — all consistent with a remote render service. It also instructs constructing attribution headers and deriving X-Skill-Platform from the install path, which implies the agent may need to inspect its environment/install path. There are no instructions to read unrelated local secrets or system files, but uploading user video to a third-party service is explicit and privacy-relevant.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk install model. There are no external downloads or packages referenced.
Credentials: okOnly a single service credential (NEMO_TOKEN) is declared as required and is directly used for API Authorization. The SKILL.md also describes obtaining an anonymous token if NEMO_TOKEN is absent. No unrelated credentials or broad system secrets are requested.
Persistence & Privilege: noteThe skill does not request always:true and uses default autonomous invocation settings. It directs saving a session_id returned from the API (reasonable for session management) but does not specify persistent writes to other skills or system-wide settings. Because it will upload user data to an external service and may inspect install path to set headers, users should be aware of the operational footprint.