Skillv1.0.0

ClawScan security

Free Youtube Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 6:29 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are generally consistent with a cloud-based video rendering service (it needs a NEMO_TOKEN and uploads video files to nemo's API), with a few minor inconsistencies and privacy considerations to review before use.
Guidance: This skill behaves like a normal cloud-video-editor: it will read a NEMO_TOKEN environment variable (or request an anonymous token from https://mega-api-prod.nemovideo.ai), upload video files you provide, and poll the service for render status and a download URL. Before installing/using: 1) Confirm you trust the endpoint mega-api-prod.nemovideo.ai and its privacy terms (you're uploading media to that service). 2) Be aware the skill may probe certain home paths (~/.clawhub, ~/.cursor/skills/, and the frontmatter mentions ~/.config/nemovideo/) to set headers — it doesn't need to modify files, but it may check for those paths; avoid giving it access to sensitive directories. 3) If you care about limiting access, set a scoped or anonymous token (rather than a long-lived secret) and don't export sensitive content. 4) Because this is instruction-only, it won't install binaries on disk, but it will make network calls and store session IDs in-memory. If you want to be safer, verify the service's website/policy and create a dedicated token/account just for this skill.

Review Dimensions

Purpose & Capability: okThe skill claims to perform cloud video editing and the SKILL.md describes API endpoints, session creation, uploads, SSE streams, and exports — all appropriate for that purpose. Requesting a single service token (NEMO_TOKEN) is proportionate to a cloud backend.
Instruction Scope: noteInstructions ask the agent to read NEMO_TOKEN from the environment (expected) and to upload user-provided video files (expected). They also describe detecting install paths (~/.clawhub, ~/.cursor/skills/) to set an X-Skill-Platform header and reference a config path in the frontmatter (~/.config/nemovideo/). Detecting install paths or config dirs is not necessary for core video processing and is an extra file-system check the user should be aware of.
Install Mechanism: okNo install step or external packages are specified (instruction-only). That minimizes disk-write risk; the skill solely makes network calls to the described API.
Credentials: noteOnly NEMO_TOKEN is declared as required (primary credential), which matches the described API usage. The SKILL.md also documents how to acquire an anonymous NEMO_TOKEN by POSTing to the service if none is present — this behavior is reasonable but means the skill will make network calls to mint a token on first use. The frontmatter's configPaths entry conflicts with the registry's 'no required config paths' and should be clarified.
Persistence & Privilege: okThe skill is not marked always:true and does not request system-wide persistence. It instructs keeping session_id in-process for operations, which is standard. There are no instructions to alter other skills or global agent settings.