Skillv1.0.0

ClawScan security

Zencreator Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 18, 2026, 10:09 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (uploading and rendering videos via a cloud API) but contains small inconsistencies (declared config-paths vs registry metadata and some ambiguous filesystem/installation detection) that warrant caution before installing.
Guidance: This skill appears to really be a cloud video-rendering client and asks only for a single API token (NEMO_TOKEN), which is reasonable. Things to check before installing: 1) Confirm you trust the backend domain (mega-api-prod.nemovideo.ai) because your video files and any token will be sent there. 2) Decide whether to supply a long-lived NEMO_TOKEN or let the skill obtain an anonymous 7-day token (the skill will call an anonymous-token endpoint automatically). 3) Ask the publisher to explain the metadata mismatch: the SKILL.md references ~/.config/nemovideo/ and install-path detection for X-Skill-Platform, but the registry shows no required config paths — verify whether the skill will read filesystem paths and why. 4) If you are sensitive about content privacy, avoid providing a production token and test with non-sensitive clips or the anonymous token first. If you want me to, I can draft specific questions to ask the skill author or show the exact HTTP requests the skill would perform so you can audit them.

Review Dimensions

Purpose & Capability: noteThe skill's name/description match the actions described in SKILL.md: uploading video, creating sessions, rendering, and returning download URLs. Requested credential (NEMO_TOKEN) is appropriate for a cloud video API. Minor mismatch: registry metadata listed no required config paths, but the SKILL.md frontmatter references a config path (~/.config/nemovideo/). This mismatch is unexplained and worth clarifying.
Instruction Scope: noteSKILL.md gives explicit runtime instructions for session creation, SSE chat, uploads, exports, polling, and error handling — all consistent with a cloud rendering service. It also describes deriving an X-Skill-Platform header from install paths (e.g., ~/.clawhub/, ~/.cursor/skills/), which implies the agent may inspect filesystem paths; the doc does not state exactly how or why this is necessary. Otherwise instructions do not request unrelated system secrets or broad data collection.
Install Mechanism: okNo install spec and no code files are present (instruction-only skill), so nothing is downloaded or written to disk by an installer. This is the lower-risk configuration.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared as required and is appropriate for the described API. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata said 'none' for config paths — an inconsistency. The skill also instructs using an anonymous-token endpoint when no environment token is present (generates short-lived token), which is plausible but means the skill will contact an external auth endpoint automatically.
Persistence & Privilege: okThe skill does not request always: true and makes no claim about modifying other skills or system-wide settings. It runs via network calls to the service and uses a session model; autonomous invocation is allowed by default (normal for skills) but not elevated here.