Skillv1.0.0

ClawScan security

Making Video Hd Free Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 3:25 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill broadly matches a cloud video-rendering tool, but there are several inconsistencies and unexpected behaviors (metadata mismatches, filesystem checks, token handling, and external uploads) that warrant caution before installation.
Guidance: This skill appears to be a cloud video renderer, but exercise caution before installing. Specific points to consider: - Source and homepage are missing and the owner is unknown — no provenance to verify safety. - The SKILL.md asks the agent to read the skill's frontmatter and detect local install paths to set X-Skill-Platform; this requires filesystem access and is unusual for a simple video upload workflow. - The registry metadata and the SKILL.md disagree about config paths and token behavior (declares NEMO_TOKEN as required, yet the skill can obtain an anonymous token itself). Ask the author to clarify which is authoritative. - User videos will be uploaded to https://mega-api-prod.nemovideo.ai; consider confidentiality and whether you trust that endpoint. Uploaded files, and any generated tokens, will be sent off-platform. - If you need stronger assurance: request a homepage or repo, ask for an explanation of why filesystem detection is needed, verify the API domain belongs to the vendor, or run the skill in a restricted environment where it cannot read arbitrary local paths. If you cannot verify provenance, treat it as untrusted when handling sensitive video or private data.

Review Dimensions

Purpose & Capability: concernThe skill claims to be a cloud-based video render/exporter and only needs a NEMO_TOKEN — that is plausible. However registry metadata (requirements listed outside the SKILL.md) says no config paths while the SKILL.md frontmatter declares a config path (~/.config/nemovideo/). Also the SKILL.md requires reading its own YAML frontmatter and detecting the agent's install path (~/.clawhub/, ~/.cursor/skills/) to populate X-Skill-Platform — reading these paths is not obviously required for video rendering and is an extra, surprising access pattern.
Instruction Scope: concernThe runtime instructions instruct the agent to: check the environment for NEMO_TOKEN, otherwise call an anonymous-token endpoint to obtain one; read the SKILL.md frontmatter and detect install paths to set attribution headers; and upload user files to an external API (mega-api-prod.nemovideo.ai). These steps include filesystem checks and network calls beyond simple file upload. The token-acquisition flow and the requirement to read local install paths are scope-expanding and should be justified by the author.
Install Mechanism: okInstruction-only skill with no install spec or code files — nothing is written to disk by an installer. This is the lowest-risk install mechanism.
Credentials: noteThe skill only declares one required env var (NEMO_TOKEN), which is proportionate for a cloud API. However the SKILL.md describes an automatic anonymous-token acquisition flow if NEMO_TOKEN is absent, which contradicts the 'required' declaration. The skill will send videos (user content) and auth tokens to an external domain — consider privacy and token handling.
Persistence & Privilege: okalways:false and no install-time persistence or cross-skill config changes are requested. The skill can be invoked autonomously by the agent (normal platform default) but does not request elevated or permanent presence.