Skillv1.0.0

ClawScan security

Movie Maker Free No Login · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 6:03 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (upload clips, call a cloud video API using a NEMO_TOKEN or anonymous token), but there are small mismatches and behaviors that deserve caution before you install or use it.
Guidance: This skill appears to do what it says (upload user-supplied clips to a remote renderer using a NEMO_TOKEN or an anonymous token it can obtain), but a few things to consider before using it: - Network and privacy: the skill will send your media to https://mega-api-prod.nemovideo.ai and may generate an anonymous token automatically if you don't supply one. Only upload media you are comfortable sending to an external service. - Credentials: if you provide a NEMO_TOKEN, it will be used as a bearer token for all requests. Don't reuse sensitive or long-lived credentials from unrelated accounts. If you don't have a token, the skill requests one anonymously (it will send a generated client UUID). - Filesystem probing: the instructions ask the agent to read the skill frontmatter and detect install paths (~/.clawhub, ~/.cursor/skills) and reference a local config path (~/.config/nemovideo/). This may involve checking for files or directories in your home folder; ask the skill author why this is needed and whether those checks can be skipped. - Missing provenance: there is no homepage or source listed and the registry metadata/frontmatter disagree about required config paths. If you plan to use this regularly, request publisher/source information, a privacy policy, or official documentation for the API endpoint to reduce risk. If you only want a quick test, prefer dropping small non-sensitive clips and do not supply an existing NEMO_TOKEN until you verify the service and its owner.

Review Dimensions

Purpose & Capability: noteThe skill's requested credential (NEMO_TOKEN) and network calls to a nemo video API align with a cloud-based video-rendering service. However the SKILL.md frontmatter also declares a config path (~/.config/nemovideo/) and runtime instructions ask the agent to detect install paths (~/.clawhub/, ~/.cursor/skills/) for attribution headers — this filesystem probing is not clearly justified by the minimal description and is inconsistent with the registry metadata (which listed no required config paths).
Instruction Scope: noteInstructions stay focused on creating sessions, uploading media, streaming SSE, polling render status and returning a download URL. They require reading the SKILL.md frontmatter for X-Skill-* headers and detecting an install path on disk. That means the agent will perform filesystem checks (home-directory paths) and make outbound requests to an external API. The steps for acquiring an anonymous token also cause automatic network calls if no token is provided. There is no instruction to read unrelated files or environment variables beyond NEMO_TOKEN, but the install-path detection and optional config path mention broaden the scope slightly.
Install Mechanism: okThis is an instruction-only skill with no install spec and no bundled code — lowest install risk. All runtime actions are network calls described in prose; nothing is downloaded or written by an installer.
Credentials: noteOnly one credential is declared (NEMO_TOKEN), which is appropriate for a hosted video service. However the SKILL.md also includes metadata about a config path (~/.config/nemovideo/) that was not listed in the registry metadata; the skill's instructions imply it may look for local install locations to set an attribution header. Requiring or probing local config paths or agent install paths increases privacy exposure and should be justified.
Persistence & Privilege: okThe skill is not flagged always:true and uses the normal model-invocation default. It does not request permanent/always-on presence or modification of other skills or system-wide settings.