Skillv1.0.0

ClawScan security

Video Game Music · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 4:51 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud video-processing service that needs a NEMO_TOKEN and session-based API access — nothing in the SKILL.md asks for unrelated secrets or system access.
Guidance: This skill appears to do what it says: it uploads videos to nemo's cloud API, requests a session token (NEMO_TOKEN), and renders music-enhanced video exports. Before installing: (1) Confirm you trust the domain mega-api-prod.nemovideo.ai and the publisher — the skill will send your video files and use the provided NEMO_TOKEN to act on your behalf. (2) Prefer short-lived or scoped tokens if possible (anonymous tokens are supported per SKILL.md). (3) Clarify the minor metadata mismatch about ~/.config/nemovideo/ (does the skill expect to read that folder?). (4) Don’t paste long-lived personal credentials unless you control or trust the service; monitor and revoke the token after use if you’re unsure. Overall the skill is internally consistent, but verify the service endpoint and token scope before sending sensitive or private videos.
Findings: [no_code_files] expected: The regex scanner found nothing because this is an instruction-only skill (SKILL.md contains the runtime behavior). This is expected for a purely API-driven skill.

Review Dimensions

Purpose & Capability: noteThe skill claims to add background music and produce rendered MP4s and only asks for a single service credential (NEMO_TOKEN) and API calls to mega-api-prod.nemovideo.ai, which is coherent. Minor inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata above lists no required config paths; this is likely harmless but worth clarifying.
Instruction Scope: noteInstructions are narrowly scoped to creating or obtaining a token, opening a session, uploading video files, streaming SSE messages, polling render status, and downloading results. The skill does not instruct reading arbitrary system files or unrelated environment variables. One small vagueness: it asks to 'auto-detect' X-Skill-Platform from the install path (which could require inspecting the agent's runtime/install path); this is a minor, explainable implementation detail but should be clarified.
Install Mechanism: okNo install spec and no code files — this is instruction-only, so nothing is written to disk or downloaded by the skill itself.
Credentials: noteOnly NEMO_TOKEN is required (declared as primaryEnv), which matches the stated cloud API usage. The SKILL.md frontmatter references a service-specific config path (~/.config/nemovideo/) — access to that path would be reasonable if it stores service config, but the registry lists no required config paths, creating a minor mismatch that should be clarified.
Persistence & Privilege: okThe skill is not set always:true, does not request system-level persistence or modification of other skills, and is instruction-only. Autonomous invocation is allowed (platform default) but by itself is not a red flag here.