Skillv1.0.0

ClawScan security

Maker Free Chinese · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 4:12 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (cloud Chinese video creation) lines up with its runtime instructions and the single required credential (NEMO_TOKEN); only minor inconsistencies and privacy considerations were found.
Guidance: This skill appears internally consistent: it talks to a cloud backend (mega-api-prod.nemovideo.ai), needs one token (NEMO_TOKEN), and describes file upload and render endpoints. Before installing: (1) Be aware that any video or audio you send will be uploaded to the external service — don't upload sensitive content. (2) The skill can auto-request an anonymous token from the backend; that token grants render/upload access for the free tier (short expiry). Use an account/token you can revoke if you want control. (3) The SKILL.md references reading local install paths and a config directory (~/.config/nemovideo/) in its metadata; confirm with the publisher whether the skill will actually access those paths — if you want to limit local reads, avoid enabling the skill in environments with sensitive files. (4) The service domain is not a well-known vendor in the skill metadata; if you rely on this production workflow for important data, verify the service's privacy/terms and availability. (5) Test with non-sensitive sample media first and consider using a disposable or revocable token.

Review Dimensions

Purpose & Capability: okThe name and description (make Chinese videos with overlays/subtitles) match the instructions: session creation, file upload, render/export endpoints, and use of an API token. Requesting a single service token (NEMO_TOKEN) is proportionate to a cloud backend service.
Instruction Scope: noteSKILL.md contains concrete API calls and a clear session/upload/render flow; it stays within the editing/export domain. Minor scope notes: it instructs the agent to detect the agent's install path (~/.clawhub, ~/.cursor/skills/) to set an X-Skill-Platform header and the YAML frontmatter lists a config path (~/.config/nemovideo/) — these involve reading local paths that are not strictly necessary for basic video upload/render and should be considered by the user.
Install Mechanism: okNo install spec or code files are present (instruction-only); nothing is downloaded or written to disk by an installer. This is the lowest install risk.
Credentials: okOnly NEMO_TOKEN is declared as required and used for Bearer authorization to the service. The SKILL.md also describes a method to obtain an anonymous NEMO_TOKEN from the backend if none is present — consistent with the skill's need for an API token. No unrelated credentials or broad secrets are requested.
Persistence & Privilege: okalways is false and the skill does not request persistent system-level privileges. It uses session tokens for jobs but does not instruct modifying other skills or system-wide settings. Autonomous invocation is allowed but that is platform default.