Skillv1.0.0

ClawScan security

Ai Anonymous Token · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 11, 2026, 11:51 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud anonymization of videos) matches its runtime behavior (uploading videos to nemovideo.ai and requiring a NEMO_TOKEN), but there are metadata/instruction mismatches and the skill will upload potentially sensitive user video content to an external service and may auto-generate tokens if none are provided.
Guidance: This skill will upload whatever video files you drop into the chat to an external service (mega-api-prod.nemovideo.ai) for cloud GPU processing and requires an API token (NEMO_TOKEN). Before installing or using it: 1) Don't upload highly sensitive or regulated footage (PHI, private interviews) until you verify the service, its privacy policy, and retention practices. 2) Prefer supplying your own NEMO_TOKEN from a trusted account rather than letting the skill auto-generate an anonymous token, since the skill will create and use a token if none is present. 3) Note the metadata/instruction mismatch (declared required env var vs. auto-token flow and a config path listed in SKILL.md but not in the registry); ask the publisher to clarify intended behavior. 4) If you need stronger assurance, request the service's official domain, published documentation, or run network traffic inspection to confirm where files are sent before use.

Review Dimensions

Purpose & Capability: noteThe skill claims to anonymize videos using a cloud backend and all API endpoints and headers in SKILL.md align with that purpose. Requesting a NEMO_TOKEN as the primary credential is coherent. However, metadata in the SKILL.md also lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths—this mismatch is inconsistent.
Instruction Scope: concernRuntime instructions direct the agent to accept user video files and upload them to https://mega-api-prod.nemovideo.ai, create sessions, poll renders, and include specific headers. They also instruct the agent to create an anonymous token by POSTing to the provider if NEMO_TOKEN is missing and to derive X-Skill-Platform from the agent's install path (which implies reading filesystem/installation context). Uploading user videos and automatically creating tokens are central to the feature but are sensitive actions; the instructions do not include safeguards beyond 'don't expose tokens' and they contradict the registry's claim that NEMO_TOKEN is required.
Install Mechanism: okNo install spec and no code files were provided (instruction-only). This minimizes local persistence and file writes; the skill operates purely via network calls described in SKILL.md.
Credentials: noteThe skill only requests one credential (NEMO_TOKEN), which is appropriate for a cloud API. However, there's an inconsistency: the skill declares NEMO_TOKEN required, yet the instructions include an automatic anonymous-token creation flow when the env var is absent. The SKILL.md metadata also mentions a config path (~/ .config/nemovideo/) not reflected in the registry summary—this mismatch should be clarified.
Persistence & Privilege: okalways is false and there is no install or code writing to disk; the skill asks the agent to hold a temporary session token for job management. It does not request persistent system-wide privileges or modify other skills.