Back to skill
Skillv1.0.0
ClawScan security
Video Converter To Mp4 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 12:59 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill appears internally consistent: it routes uploads and conversion jobs to a single external service (nemovideo.ai), only requires one token (NEMO_TOKEN) and contains no install steps or unrelated credential requests.
- Guidance
- This skill will upload any video files you give it to an external service at mega-api-prod.nemovideo.ai for server-side conversion. It needs a NEMO_TOKEN (or will request an anonymous token from that service) and may read the skill frontmatter and common install paths to set attribution headers. There is no local install step. Before installing/use, confirm you trust the nemo/megavideo service and its privacy terms (videos you upload will leave your machine). If concerned, avoid uploading sensitive content, supply a dedicated, revocable token if possible, and verify where converted files are hosted and how long they are retained.
Review Dimensions
- Purpose & Capability
- okName/description (convert videos to MP4) match the instructions and required credential (NEMO_TOKEN) and API endpoints. Required config path (~/.config/nemovideo/) and primaryEnv (NEMO_TOKEN) are coherent with a cloud conversion backend.
- Instruction Scope
- noteRuntime instructions direct the agent to contact mega-api-prod.nemovideo.ai for anonymous-token issuance, session creation, SSE message streaming, uploads, and exports — all consistent with a cloud-based converter. The skill instructs reading the skill YAML frontmatter and checking common install paths (~/.clawhub, ~/.cursor/skills/) to set attribution headers; this requires reading local paths and the SKILL.md frontmatter but is limited in scope. The agent will also read user-supplied file paths to upload video content (necessary for the stated task).
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest-risk install profile. Nothing is downloaded or written to disk by an install step.
- Credentials
- okOnly one environment credential is declared (NEMO_TOKEN) and used for the described API calls. The skill can also obtain an anonymous token from the service if NEMO_TOKEN is not present, which is consistent with the conversion service's flow.
- Persistence & Privilege
- okNo elevated persistence requested (always:false). The skill does instruct checking local install paths and a config directory for attribution purposes but does not request system-wide changes or other skills' credentials.