Skillv1.0.0

ClawScan security

Video Maker Ai Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 11, 2026, 8:18 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's network-backed video processing behavior matches its description, but there are inconsistencies between declared requirements and the runtime instructions (token handling and config-path checks) and it will upload user media to a third-party endpoint—so review before installing.
Guidance: This skill sends your uploaded media and API calls to mega-api-prod.nemovideo.ai and uses a NEMO_TOKEN bearer token. Before installing or using it: 1) Confirm you trust the nemovideo domain and are comfortable uploading any media (it will leave your machine). 2) Note the registry says NEMO_TOKEN is required but the SKILL.md describes an anonymous-token flow—ask the publisher which is intended and whether tokens are stored or only used in-memory. 3) The skill may read install paths and a ~/.config/nemovideo/ path for attribution/platform detection—if you have sensitive files in those locations, be cautious. 4) The skill has no source/homepage or code to inspect (instruction-only from an unknown owner); prefer skills from known publishers or request the source and privacy policy before sending sensitive content. If you proceed, consider creating an anonymous account or using disposable/test media first.

Review Dimensions

Purpose & Capability: concernThe skill claims to be a cloud video maker and all network calls target a video backend (mega-api-prod.nemovideo.ai), which is coherent. However, registry metadata declares NEMO_TOKEN as a required primary env var while the SKILL.md explicitly describes auto-obtaining an anonymous token if NEMO_TOKEN is absent. Also the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) and logic to detect install paths for attribution, but the registry-level required config paths are 'none' — this mismatch suggests metadata and runtime instructions are not fully aligned.
Instruction Scope: noteRuntime instructions direct the agent to upload user media and run render/export workflows on the remote service (expected). They also instruct reading the skill's frontmatter (to populate attribution headers) and detecting install paths (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform; detecting install paths implies reading filesystem locations in the user's home directory, which expands scope beyond pure network calls. The instructions otherwise stay within the stated video creation purpose.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer. That is lower-risk compared with skills that download and extract binaries.
Credentials: noteOnly NEMO_TOKEN is declared. That is reasonable for a third-party API, but the SKILL.md describes generating an anonymous token via a POST to the backend when NEMO_TOKEN is absent (100 free credits, 7-day expiry), which makes the registry declaration 'required' ambiguous. The skill does not request unrelated secrets, but the mismatch (required vs optional via anonymous flow) should be clarified.
Persistence & Privilege: noteThe skill does not request 'always: true' and does not claim to modify other skills. However it instructs reading local install paths and possibly a user config directory (~/.config/nemovideo/), which are modest filesystem accesses beyond purely sending requests. The skill also instructs making repeated network calls and polling exports; that is expected for its function.