Skillv1.0.0

ClawScan security

Shorts Niche Research · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 17, 2026, 6:49 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, required credential (NEMO_TOKEN), and remote-rendering workflow match its stated purpose (niche analysis + cloud Shorts rendering), but it will transmit uploaded files and may create/obtain an anonymous token on first use — review privacy before uploading sensitive data.
Guidance: This skill is coherent for cloud niche analysis and video rendering, but it will upload your files and prompts to mega-api-prod.nemovideo.ai and may create an anonymous token if you don't have NEMO_TOKEN set. Before installing or using it: (1) avoid uploading sensitive or private data (PII, proprietary media) unless you trust the service and have reviewed its privacy/retention policy; (2) confirm the origin and intended scope of NEMO_TOKEN (do not reuse unrelated credentials); (3) ask the publisher to clarify the configPath discrepancy (~/.config/nemovideo/) and whether any local files are read for platform detection; and (4) if you need on-device-only analysis or strict data controls, do not use this skill.

Review Dimensions

Purpose & Capability: okThe name/description (Shorts niche analysis + cloud rendering) aligns with the actions in SKILL.md (analysis, upload, render, export). Requesting a service token (NEMO_TOKEN) is appropriate for a cloud API-backed renderer/analysis service. Minor mismatch: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that the registry summary said was not required; this should be clarified but is not inherently malicious.
Instruction Scope: noteInstructions explicitly direct the agent to contact a remote backend (mega-api-prod.nemovideo.ai), create sessions, upload user files (up to 200MB), stream SSE chat, and poll render status. Those actions are consistent with a cloud rendering/analysis service. Important privacy note: user uploads and prompts are sent to the third-party backend; the skill also auto-requests an anonymous token if NEMO_TOKEN is absent. No instructions ask the agent to read unrelated local files or credentials beyond NEMO_TOKEN and optional install/config path detection.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. All runtime behavior is API calls described in SKILL.md; nothing is downloaded or written by an installer.
Credentials: noteOnly NEMO_TOKEN is declared as a required environment variable (primaryEnv). That is proportional for a cloud API client. The skill also documents how to obtain an anonymous token from the backend if NEMO_TOKEN is missing, which will cause outbound network activity. There is a small inconsistency: SKILL.md metadata lists ~/.config/nemovideo/ in configPaths while the registry metadata summary shows no required config paths—this should be clarified.
Persistence & Privilege: okThe skill is not always-enabled and uses normal autonomous invocation settings. It does not request persistent system-wide privileges or attempt to modify other skills' configuration in the provided instructions.