Skillv1.0.0

ClawScan security

Video Google · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 4:29 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud video-search/export tool; it only asks for a single service token and to upload user-provided videos to the listed nemovideo API, with one small metadata mismatch to review.
Guidance: This skill appears to do what it says: it uploads videos you provide to a nemovideo cloud API and returns rendered clips, using a single NEMO_TOKEN credential. Before installing, consider: (1) Do you trust mega-api-prod.nemovideo.ai to receive and process your videos? Uploaded content may be retained by that service — check their privacy/retention and terms. (2) The skill can generate anonymous short-lived tokens (100 credits, 7-day expiry) if NEMO_TOKEN is not set; using your own token is safer than allowing automatic anonymous auth. (3) Clarify the metadata mismatch about ~/.config/nemovideo/ — if the skill will read that folder, ensure it contains only what you expect. (4) The skill requires adding attribution headers to API calls (X-Skill-*); these are expected but may surface metadata in logs. If any of the above is unacceptable, do not install the skill or only use it with non-sensitive test videos. If you want higher assurance, ask the owner for a privacy/retention policy and confirm exactly which local paths (if any) the agent will read.

Review Dimensions

Purpose & Capability: noteThe name/description (search inside videos, export clipped MP4s) align with the declared NEMO_TOKEN credential and API calls to mega-api-prod.nemovideo.ai. Small inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) in metadata, but the registry summary earlier showed no required config paths — this mismatch should be clarified.
Instruction Scope: okSKILL.md instructs only to check/use NEMO_TOKEN, optionally obtain an anonymous token from the nemovideo API, create a session, upload user-supplied video files, stream SSE results, and poll render status. It does not instruct reading unrelated system files or arbitrary environment variables, nor sending data to third parties beyond the documented nemovideo endpoints.
Install Mechanism: okThere is no install spec and no code files — instruction-only skill. No downloads, no packages to be written to disk; low install risk.
Credentials: noteOnly NEMO_TOKEN is required (primary credential), which is proportional to the service. The SKILL.md metadata references a config path (~/.config/nemovideo/) not declared elsewhere — that implies the skill may read or expect local config files. Also the skill asks to auto-detect an install path for X-Skill-Platform, which may involve reading environment/paths. Confirm whether the agent will access that config directory before installing.
Persistence & Privilege: okalways:false and normal autonomous invocation. The skill does not request persistent installation privileges or modifications to other skills; it only uses a session token for jobs.