Skillv1.0.0

ClawScan security

Your Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 18, 2026, 4:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a cloud video-editing service, but there are small metadata/instruction inconsistencies and privacy implications (uploads and token handling) you should understand before installing.
Guidance: This skill implements a cloud-based video editor: it uploads your video files and uses a NEMO_TOKEN (or obtains an anonymous token from the nemovideo.ai backend) to create sessions and render outputs. Before installing: 1) Be aware your media and metadata will be sent to https://mega-api-prod.nemovideo.ai — do not use with sensitive videos unless you trust the service. 2) The SKILL.md mentions a local config path (~/.config/nemovideo/) but the registry omitted it — ask the author whether the skill will read/write that folder. 3) There is no source homepage or code to audit and the owner is unknown; that increases risk. 4) If you proceed, limit which credentials the agent can access, monitor network activity, and consider testing with non-sensitive sample files first. If the maintainer can provide a homepage, privacy policy, or source code, review those before trusting real data.

Review Dimensions

Purpose & Capability: noteThe name/description (cloud video editing) align with the runtime instructions: uploading video files, creating sessions, SSE for edits, and rendering to MP4. Requiring a NEMO_TOKEN is consistent with a cloud API. However, SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that the registry metadata did not list — an inconsistency worth noting.
Instruction Scope: noteInstructions explicitly instruct the agent to upload user video files and exchange tokens with https://mega-api-prod.nemovideo.ai, which is expected for a remote render service. The skill also instructs the agent to generate an anonymous token when NEMO_TOKEN is absent. This necessarily transmits user video and metadata to an external service — expected for the purpose, but a privacy/security consideration. The instructions also ask the agent to "auto-detect" an install path to set X-Skill-Platform, which is ambiguous for an instruction-only skill and may be impossible or ill-defined in some agent environments.
Install Mechanism: okInstruction-only: there is no install spec and no code artifacts to be written to disk by an installer. This lowers supply-chain risk.
Credentials: concernOnly one required env var (NEMO_TOKEN) is declared and used as the primary credential, which is proportionate. However the SKILL.md frontmatter also lists a config path (~/.config/nemovideo/), creating inconsistency with the registry metadata (which lists no config paths). That suggests the skill may read or write a local config directory even though the registry didn't declare it. The skill will also create anonymous tokens via the remote API if NEMO_TOKEN is missing — this is reasonable but means tokens and uploads may be created/stored externally.
Persistence & Privilege: okThe skill is not always:true and does not request elevated platform-wide privileges. It does not declare modification of other skills or global agent settings. Autonomous invocation is allowed (platform default) but not by itself a red flag.