Skillv1.0.0

ClawScan security

Music Maker Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 5:31 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based AI music/video rendering service — it only needs a service token and uses the described API endpoints, but it will send uploaded media to an external backend and may persist session/token data locally.
Guidance: This skill appears to be what it says: a cloud-based music/video rendering helper that uses a NEMO_TOKEN to call nemo-video APIs. Before installing, consider: (1) It will upload media to an external service (mega-api-prod.nemovideo.ai) — do not upload sensitive or private videos you don't want sent offsite. (2) If NEMO_TOKEN is not provided, the skill will obtain an anonymous token for you and may store that token and session IDs locally (metadata hints at ~/.config/nemovideo/). Ask where tokens/session data are stored and how long they are retained if that matters to you. (3) The skill includes logic to detect install path for attribution headers — this requires reading the agent environment but is reasonable for header population; still confirm you are comfortable with that. (4) Because this is instruction-only with no code to inspect, only network behavior is visible at runtime — if you need stronger assurance, test with non-sensitive files first or run in an environment that you control. If any of the above is unacceptable, do not enable the skill or require an explicit NEMO_TOKEN you control instead of allowing anonymous token creation.

Review Dimensions

Purpose & Capability: okThe name and description (generate music-backed videos) match the declared requirement (NEMO_TOKEN) and the API endpoints referenced in SKILL.md. There are no unrelated credentials or binaries requested.
Instruction Scope: noteInstructions are focused on connecting to the nemo video backend, uploading media, streaming SSE, and polling job status. They explicitly instruct obtaining an anonymous token if NEMO_TOKEN is absent and storing session_id for subsequent requests. The guidance is somewhat vague about where/how tokens/session IDs are stored and about attribution header detection (reads install path), which is legitimate for attribution but leaves persistence behavior unspecified.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files to write to disk. That is the lowest-risk installation model.
Credentials: noteOnly NEMO_TOKEN is required and serves as the service bearer token — this is proportionate. The metadata also lists a config path (~/.config/nemovideo/) which indicates the skill may read/write local config; this is plausible but not strictly justified in the instructions and merits user attention.
Persistence & Privilege: noteThe skill does not request always:true or elevated platform privileges. It will persist a session_id and may persist an anonymous token (the SKILL.md instructs to 'store' the token/session). The storage location and retention are unspecified, so persistence scope is unclear.