Skillv1.0.0

ClawScan security

Referenced Shortform Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 4:48 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are generally consistent with a cloud-based video clipping service, but there are small metadata/instruction inconsistencies and you should only upload content you trust the remote service to handle.
Guidance: This skill talks to https://mega-api-prod.nemovideo.ai and needs a NEMO_TOKEN (or will request an anonymous token for you). Before using it: 1) Only upload media you are comfortable sending to an external service — videos may contain sensitive data. 2) Prefer supplying your own NEMO_TOKEN if you have an account so you control credentials; anonymous tokens are short-lived and created by the agent contacting the service. 3) Note the small metadata mismatch (a config path is listed in the SKILL.md frontmatter but not in the registry); this is likely minor but worth asking the publisher to clarify. 4) If you need a privacy/retention guarantee, request the vendor's privacy policy or a homepage — this package has no homepage listed. If you trust nemovideo.ai and are fine uploading files to a cloud GPU service, the skill appears consistent with its stated purpose.

Review Dimensions

Purpose & Capability: noteThe skill claims to clip and export short videos and only requests a single service token (NEMO_TOKEN), which matches that purpose. Minor inconsistency: the SKILL.md YAML frontmatter references a config path (~/.config/nemovideo/) but the registry metadata above listed no required config paths.
Instruction Scope: okSKILL.md instructs the agent to obtain/use a NEMO_TOKEN, create a session, upload video files, start SSE-based interactions, and request renders from the nemovideo.ai API — all actions expected for a remote render/clip service. The instructions do reference inspecting an install path to set X-Skill-Platform (e.g., ~/.clawhub/ or ~/.cursor/skills/) which requires a filesystem check, but this is limited and explained in the file. The instructions do not ask the agent to read unrelated system files or arbitrary credentials beyond NEMO_TOKEN.
Install Mechanism: okThere is no install spec and no code files — instruction-only. That means nothing is written to disk by the skill itself, which is the lowest-risk install posture.
Credentials: noteThe only declared credential is NEMO_TOKEN (primaryEnv), which is appropriate for a third-party API. The SKILL.md also describes auto-generating an anonymous token by calling the service if NEMO_TOKEN is not set; that behavior is plausible but means the agent will initiate network calls to obtain credentials on the user's behalf if none are present. There is a small mismatch between the registry 'required config paths: none' and the SKILL.md frontmatter that lists a config path.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated system-wide privileges. It will create API sessions and render jobs on the remote service and instruct the agent to store session_id for subsequent calls; this is reasonable for the stated purpose. Autonomous invocation is allowed (platform default) and appropriate here.