Skillv1.0.0

ClawScan security

Tiktok Free Youtube · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 10:49 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are internally consistent with a cloud-based video conversion service, but it sends uploaded video data and session tokens to a third-party backend you should review before use.
Guidance: This skill appears to do what it claims (upload your video to a remote render service and return a processed MP4). Before installing or using it, consider: (1) Privacy: your video files (and any embedded audio/metadata) will be uploaded to https://mega-api-prod.nemovideo.ai — don't upload sensitive or proprietary footage unless you trust that endpoint. (2) Tokens & storage: the skill will create or accept a NEMO_TOKEN and persist a session_id; check where (and for how long) session/token data is stored on your device (~/.config/nemovideo/ is referenced). (3) Trustworthiness: the skill has no homepage and an unknown source owner — if you need stronger assurance, ask the developer for a privacy policy, audit logs, or a canonical service page for nemovideo.ai. (4) If you prefer more control, provision your own NEMO_TOKEN (if available) rather than allowing the skill to auto-generate anonymous tokens. If you accept those tradeoffs, the skill's behavior is proportional to its purpose. If you cannot verify the backend, avoid uploading sensitive content.

Review Dimensions

Purpose & Capability: okThe name/description (convert TikTok videos to watermark-free YouTube-ready MP4) matches the instructions: upload endpoint, render/export endpoints, credits and session flows. The single required env var (NEMO_TOKEN) and the listed config path (~/.config/nemovideo/) are coherent with a remote video-processing backend.
Instruction Scope: noteThe SKILL.md instructs the agent to automatically obtain an anonymous token and create a session, upload user video files (up to 500MB), poll for render status, and deliver a download URL. These actions are expected for a cloud-rendering service, but they do involve sending user media and metadata off-device. The skill also instructs not to show raw API responses or token values to the user — this is a privacy/UX directive, not necessarily malicious, but it does underscore that secrets/tokens will be handled internally.
Install Mechanism: okInstruction-only skill: no install spec, no code files, and therefore nothing is written to disk by an installer. This lowers risk compared to packages that download and execute arbitrary code.
Credentials: noteOnly one environment variable is declared (NEMO_TOKEN), which is appropriate for an API-backed service. The frontmatter also references a config path (~/.config/nemovideo/) — plausible for storing tokens/session state but worth noting because it implies filesystem reads/writes could be used for persistence. The skill also offers to anonymously obtain a token if none is provided (POST to /api/auth/anonymous-token), which means the skill will make network calls even without a preconfigured credential.
Persistence & Privilege: okalways is false and there is no install step that requests persistent system privileges. The skill does instruct storing a session_id and token for subsequent requests, but this is normal for a session-based API client. Autonomous invocation is allowed by default (not flagged by itself).