Skillv1.0.0

ClawScan security

Gif Video Maker Free Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 3:01 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (convert GIFs/videos to MP4) matches its instructions and required credential (NEMO_TOKEN); it is an instruction-only connector to the nemovideo API with no install steps or unrelated privileges requested.
Guidance: This skill acts as a thin client for the nemovideo cloud service: it will upload any media you send to that third-party API and will use or generate a NEMO_TOKEN to authenticate. Before installing, consider whether you are comfortable uploading the types of files you will send (no special handling of sensitive data is described). If you want to limit impact: (1) create a dedicated/throwaway account or anonymous token rather than using personal service credentials, (2) avoid uploading sensitive images/audio, (3) verify the api domain (mega-api-prod.nemovideo.ai) and the service's privacy policy, and (4) confirm where session tokens are stored (the metadata lists ~/.config/nemovideo/) and whether you can remove them later. Overall the skill is coherent with its stated purpose and does not request unrelated secrets or installs.

Review Dimensions

Purpose & Capability: okName/description, required env var (NEMO_TOKEN), and the SKILL.md all describe using the same nemovideo cloud API for video rendering. The declared API endpoints, required Authorization header, and upload/render flows are consistent with a remote conversion service.
Instruction Scope: okThe runtime instructions focus on creating/using an anonymous or existing NEMO_TOKEN, opening a session, uploading media, reading SSE render progress, and polling state. They instruct network calls to the stated API and file uploads for user media. The instructions do not request unrelated system files, shell history, or other credentials.
Install Mechanism: okNo install spec or code files are present (instruction-only). Nothing is downloaded or written by an installer in the metadata, which minimizes on-disk risk.
Credentials: noteOnly NEMO_TOKEN is declared as required and is directly used for API auth, which is proportionate. SKILL.md also provides an anonymous-token flow to obtain a token if absent. The metadata lists a config path (~/.config/nemovideo/) but the instructions do not explicitly require reading arbitrary local config — this is likely intended for storing session/token data but should be confirmed by the maintainer.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges or attempt to modify other skills. It describes saving session_id and using session tokens for rendering, which is normal for a session-based API client.