Skillv1.0.0

ClawScan security

Video Highlight · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 12:35 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-based video highlight service: it needs a single service token and describes uploading, session creation, and export workflows to that backend.
Guidance: This skill will upload your raw video files to an external service (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN to authorize calls; if you don't provide one it will obtain an anonymous token automatically (100 free credits, 7‑day expiry). Before installing, consider: 1) Privacy: any sensitive footage will be sent to the remote backend — review the service's privacy/retention policy and avoid uploading confidential recordings. 2) Token handling: the skill may obtain and use an anonymous token; decide whether you prefer to supply your own token instead of letting it create one. 3) Local metadata: the skill attempts to set attribution headers by detecting install paths (it may probe typical skill install locations), which could reveal local path information — if that concerns you, run the skill in a constrained environment. If these tradeoffs are acceptable and you trust the external service, the skill's behavior is coherent with its stated purpose.

Review Dimensions

Purpose & Capability: okThe skill claims to perform cloud-based video highlight extraction and only requests a single service credential (NEMO_TOKEN) and a config path for the service; both are appropriate and expected for a cloud render/upload workflow.
Instruction Scope: noteInstructions are focused on session creation, upload, SSE-driven edits, and export polling. They explicitly require sending raw video to a remote API (coherent for this purpose). Minor scope notes: the agent is asked to derive attribution headers from an install path (detecting ~/.clawhub/, ~/.cursor/skills/, otherwise 'unknown') — that implies the agent may probe the runtime/install location, which is not strictly necessary for core functionality and may expose local path information.
Install Mechanism: okNo install spec and no code files are present (instruction-only), so nothing will be written to disk by the skill itself during install. This is the lowest-risk install model.
Credentials: noteThe only declared required environment variable is NEMO_TOKEN (primary credential), which is proportionate. The skill also declares a config path (~/.config/nemovideo/) in metadata. The runtime instructions include a fallback anonymous-token flow that will POST to the remote endpoint to obtain a temporary token if NEMO_TOKEN is absent — this is consistent with the declared primaryEnv but means the agent will perform network auth and may persist/use that token for up to 7 days.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It does ask to keep session_id and to use tokens for multiple calls (normal for a sessioned API); nothing indicates it will modify other skills or system-wide settings.