Skillv1.0.0

ClawScan security

Team Video Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 12, 2026, 12:25 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior largely matches a remote video-processing service, but it asks the agent to obtain and store credentials automatically, references a user config path in its own metadata (inconsistently with registry metadata), and will transmit uploaded media to an external API — these details merit caution before installing.
Guidance: This skill appears to be a thin client for a remote video-rendering service and will upload whatever media you provide to mega-api-prod.nemovideo.ai. Before installing, consider: 1) Do you trust that external service and its privacy terms? Uploaded clips will be transmitted and rendered remotely. 2) The skill will obtain or use a NEMO_TOKEN — it can auto-generate an anonymous token and store session data (likely under ~/.config/nemovideo/). If you prefer control, pre-set NEMO_TOKEN yourself rather than letting the skill obtain/store it. 3) There is a minor inconsistency: the skill's SKILL.md metadata references a config path but the registry metadata did not — ask the publisher where tokens/sessions are stored and for a homepage/privacy policy. 4) If you need higher assurance, request provenance (who runs the nemovideo backend, privacy policy, and whether uploaded media are retained), or avoid installing until you can verify the service domain and owner identity.

Review Dimensions

Purpose & Capability: okName/description match the actions described (upload clips, remote render, return MP4). The single required credential (NEMO_TOKEN) and endpoints are consistent with a hosted video-rendering service.
Instruction Scope: noteInstructions stay within the video-rendering scope (authentication, session creation, upload, SSE streaming, render polling). They also direct automatic anonymous token acquisition and storage of session_id, and ask the agent to derive X-Skill-Platform from local install paths — these require the agent to read/write state and query filesystem/location info which is slightly broader than simple request/response handling.
Install Mechanism: okInstruction-only skill (no install spec, no code files) — lowest installer risk. All runtime behavior is via HTTPS calls to the described backend.
Credentials: noteOnly NEMO_TOKEN is required (proportionate). However the skill will auto-generate an anonymous token if none is present and implies storing credentials/session data (metadata includes a config path ~/.config/nemovideo/). Registry metadata shown to you earlier did not list a config path, so there's a small inconsistency about what it will read/write.
Persistence & Privilege: notealways:false and normal autonomous invocation. The skill expects to store session tokens/IDs (and possibly config files under ~/.config/nemovideo/) which is normal for a client of a remote service but does grant persistent local state tied to your account/anonymous token.