Skillv1.0.0

ClawScan security

Joyfun Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 12:55 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud AI video editing) matches its instructions and required credential (NEMO_TOKEN); it uploads user media to an external rendering API and is internally coherent, but it will transmit your videos to a third‑party service and reads some local path information for attribution.
Guidance: This skill appears to do what it says: it uploads your video/audio files to nemovideo's cloud API, creates sessions, streams SSE responses, and returns a download URL. Before installing or using it, consider: (1) Your media will be transmitted to a third-party service — do not upload sensitive or proprietary footage unless you trust nemovideo and its privacy terms. (2) The skill can obtain an anonymous token automatically if NEMO_TOKEN is not set; anonymous tokens have limited credits and expiry. (3) It may read local attribution metadata and the listed config path (~/.config/nemovideo/) for configuration — if you have sensitive files there, avoid granting access. (4) Source is unknown and there is no install artifact to inspect, so exercise usual caution (review service privacy, avoid supplying secrets beyond NEMO_TOKEN, and consider testing with non-sensitive clips first).

Review Dimensions

Purpose & Capability: okName/description, endpoints, and the single required env var (NEMO_TOKEN) align: the skill talks to nemovideo API endpoints for uploads, session creation, render jobs and credits. Asking for a token is expected for this cloud service.
Instruction Scope: noteInstructions are focused on uploading media, creating sessions, streaming SSE events, and exporting renders. Notable behaviors: it will obtain an anonymous token when NEMO_TOKEN is absent, upload user files to the remote API, poll session state, and read the skill frontmatter and detect install paths to set attribution headers. Those attribution/read-actions are within the claimed purpose but do require reading some local paths/metadata (install location, frontmatter).
Install Mechanism: okNo install spec or downloaded code — instruction-only. This minimizes install-time risk (nothing written to disk by an installer).
Credentials: noteOnly NEMO_TOKEN is required and is appropriate for authenticating to the described service. The metadata also lists a config path (~/.config/nemovideo/) which suggests the skill may read that directory if present — reasonable for a client that can use local config, but it means local config files may be inspected if the agent follows that metadata.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings based on the provided instructions.