Skillv1.0.0

ClawScan security

Generator In Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 4:20 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match a video-generation service and its single required credential (NEMO_TOKEN) is plausible, but there are minor metadata inconsistencies, an unknown upstream host, and privacy implications from uploading user video that you should understand before installing.
Guidance: This skill appears to do what it says (server-side video rendering) and only needs one API token, but pause before installing: 1) Source is unknown and there is no homepage — verify the vendor/reliability of mega-api-prod.nemovideo.ai before sending private footage. 2) Understand privacy/retention: uploaded videos will be sent to their servers; ask where files are stored, how long they are retained, and whether they are used for training. 3) Clarify the config-path discrepancy (~/.config/nemovideo/) with the publisher; ensure the skill won't read other local files. 4) Provide only the NEMO_TOKEN (or allow the skill to obtain an anonymous token) — do not give other unrelated credentials. 5) If you need stronger assurance, request an origin/homepage, documentation, or an official SDK/source repository to verify behavior. If you decide to proceed, monitor network activity and avoid uploading sensitive footage until you confirm retention and deletion policies.

Review Dimensions

Purpose & Capability: noteName/description claim: remote AI video generation from uploaded footage — the SKILL.md describes exactly that and requires a single API token (NEMO_TOKEN). This is proportionate. Minor inconsistency: top-level registry metadata listed no config paths, but the SKILL.md frontmatter declares a config path (~/.config/nemovideo/). That discrepancy should be clarified.
Instruction Scope: noteRuntime instructions direct the agent to obtain/use a token, create sessions, upload video files (up to 500MB), use SSE for editing operations, poll renders, and return download URLs from https://mega-api-prod.nemovideo.ai. These steps stay within the stated purpose. Important behavioral notes: user files are uploaded to a remote service (privacy/retention considerations); the SKILL.md also instructs to 'keep technical details out of the chat' which hides implementation details from users — benign for UX but worth flagging for transparency.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer as part of this skill package.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared as required and that aligns with the described API usage. Two concerns: (1) SKILL.md frontmatter includes a config path (~/.config/nemovideo/) even though registry metadata lists none; (2) the skill instructs generating an anonymous token if NEMO_TOKEN is absent — that is a reasonable fallback but means the agent will call an auth endpoint and receive a short-lived token which the agent will then use to upload user videos. Neither is necessarily malicious but both should be understood before use.
Persistence & Privilege: okThe skill does not request always: true and does not claim to modify other skills or system-wide settings. Autonomous invocation (default) is enabled but not combined with unusually broad privileges.