Skillv1.0.0

ClawScan security

Maker Facebook · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 4:29 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested inputs and runtime instructions are consistent with a cloud video-rendering integration; nothing obvious is asking for unrelated credentials or installing unexpected components, though there are minor metadata inconsistencies and privacy considerations around sending files to a third‑party API.
Guidance: This skill appears to do what it says: it uploads media to a third‑party render service and returns a rendered MP4. Before installing or using it, consider: (1) Review the privacy/security policy of mega-api-prod.nemovideo.ai — any files you upload will be transmitted to that service. Avoid uploading sensitive videos or audio. (2) The skill needs a NEMO_TOKEN (or will request an anonymous token); treat that token like a credential and don’t paste it into public logs. (3) The skill may read local paths to determine X-Skill-Platform — if you’re uncomfortable with tools probing your home directory or environment, decline. (4) The registry/frontmatter mismatch for config paths looks like an authoring error; if you need higher assurance, ask the publisher for the source or a privacy statement before proceeding.

Review Dimensions

Purpose & Capability: okThe name/description (Facebook video maker) matches the runtime instructions (upload media, create sessions, request renders) and the single required credential (NEMO_TOKEN). One minor inconsistency: the registry metadata provided to you listed no config paths, while the skill's frontmatter metadata declares a configPaths entry (~/.config/nemovideo/) — this is likely an authoring mismatch but doesn't change the core capability.
Instruction Scope: noteSKILL.md instructs the agent to obtain or use a NEMO_TOKEN, create sessions, upload user media, stream SSE edits, poll render status, and include attribution headers. These actions are within the described purpose. Two things to be aware of: (1) the skill asks the agent to detect an install path (~/.clawhub or ~/.cursor/skills) to set X-Skill-Platform — that requires reading the filesystem/environment and could leak environment details; (2) user media (up to 500MB) is uploaded to an external domain (mega-api-prod.nemovideo.ai), so sensitive content will leave the local machine. The instructions explicitly say not to print tokens or raw JSON, which is good.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written as part of installation.
Credentials: okOnly one environment variable (NEMO_TOKEN) is required and it directly maps to the API's Bearer auth. The skill also offers an anonymous-token flow to generate a token at runtime. No unrelated secrets or broad credential access are requested.
Persistence & Privilege: okalways:false and normal autonomous invocation behavior. The skill instructs saving a session_id and using tokens for requests (normal for a session-based API). It does not request persistent system-wide privileges or modifications to other skills.