Skillv1.0.0

ClawScan security

Video Canva · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 6:19 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with a cloud video-rendering service: it needs one service token, uploads user media to a remote API, and uses session tokens for render jobs — nothing obviously unrelated is requested, but the skill comes from an unknown source and a small metadata mismatch should be noted.
Guidance: This skill will upload any images/clips you give it to a third‑party rendering service at mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (it can create a temporary anonymous token for you). Before installing/using: 1) confirm you trust the domain/service (no homepage or known owner is provided here), 2) avoid uploading sensitive content to an unknown service, 3) if you already have a NEMO_TOKEN, treat it like any API secret, and 4) ask the publisher to clarify the config-path reference (~/.config/nemovideo/) shown in the SKILL.md frontmatter. If you’re uncomfortable, don’t provide private files or credentials and request more provenance (homepage, owner info, or privacy policy).

Review Dimensions

Purpose & Capability: okThe name/description (create videos from images/clips) matches the runtime actions: creating sessions, uploading media, queuing render jobs and returning download URLs. Requesting a single service token (NEMO_TOKEN) and asking to POST to an API at mega-api-prod.nemovideo.ai is proportionate to a cloud render backend.
Instruction Scope: noteSKILL.md explicitly instructs the agent to check for NEMO_TOKEN, generate an anonymous token if missing (via an anonymous-token endpoint), create sessions, upload files, stream SSE responses, poll render status, and return download URLs. These operations are within the stated purpose. Minor scope items: it instructs auto-detection of an install path to set X-Skill-Platform (which may require reading agent install/config path) and references a local config path (~/.config/nemovideo/) in frontmatter — this is slightly outside pure upload/render steps but not a clear abuse.
Install Mechanism: okNo install spec or third-party packages are requested (instruction-only). Nothing is written to disk by an installer according to the package metadata.
Credentials: noteThe skill declares a single primary credential (NEMO_TOKEN) which is consistent with a cloud API. The instructions also allow anonymously obtaining a temporary token. There is a small inconsistency: registry metadata listed no config paths, but the SKILL.md frontmatter references ~/.config/nemovideo/ — this should be clarified. Remember that NEMO_TOKEN grants access to upload and render operations on the remote service, so treat it like a service credential.
Persistence & Privilege: okThe skill is user-invocable, not always-enabled, and does not request elevated or system-wide privileges. It asks the agent to hold a session_id for the duration of operations, which is normal. There is no instruction to modify other skills or global agent configuration.