Skillv1.0.0

ClawScan security

Add Music To Video App · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 12:28 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared network calls, token usage, and file-upload behavior match its stated purpose of uploading videos and requesting cloud rendering; nothing requested is disproportionate to adding music to videos.
Guidance: This skill is internally consistent: it uploads user video files to the nemovideo.ai backend and uses a single token (NEMO_TOKEN) for authentication. Before installing or using it, consider: 1) Only provide a personal NEMO_TOKEN if you trust nemovideo.ai — otherwise allow the skill to obtain an anonymous token as described. 2) The SKILL.md mentions reading a config path (~/.config/nemovideo/) and detecting install paths for attribution headers; if you are uncomfortable with the skill probing those locations, ask the author to remove or document that behavior. 3) Uploaded videos and any audio/video content will be sent to the external service — review the service's privacy policy if your content is sensitive. 4) No other credentials or installers are requested, and there are no embedded code files in the skill package.

Review Dimensions

Purpose & Capability: okThe skill integrates with a single video-processing backend (nemovideo), requires a single token (NEMO_TOKEN) for Bearer auth and describes upload/export endpoints — all coherent with its 'add music to video' purpose.
Instruction Scope: noteInstructions are focused on session creation, SSE streaming, uploads, status and export polling. They only direct traffic to the nemovideo API. Note: the SKILL.md includes YAML metadata that mentions a config path (~/.config/nemovideo/) and logic to detect the install path to set an X-Skill-Platform header; this implies the skill may probe install/config locations for attribution, which is marginally broader than strictly required for upload/auth but not obviously malicious.
Install Mechanism: okThere is no install spec and no code files — the skill is instruction-only, so nothing is downloaded or written to disk by the skill itself.
Credentials: noteOnly NEMO_TOKEN is requested as a credential (primaryEnv). That is proportionate for a cloud service. Minor inconsistency: the top-level manifest reported no required config paths, but the SKILL.md metadata lists ~/.config/nemovideo/ — this should be clarified (reading a config directory is more access than just using an env var).
Persistence & Privilege: okalways is false and the skill is user-invocable. The runtime instructions describe temporary session tokens and server-side jobs; there is no instruction to modify other skill settings or require permanent presence.