Back to skill
Skillv1.0.0
ClawScan security
Video Maker Browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 15, 2026, 9:06 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (cloud video creation) matches its instructions, but it sends user files and tokens to an unknown third-party API, has a metadata/registry mismatch about config paths, and lacks an identifiable source/homepage — these inconsistencies and privacy risks warrant caution.
- Guidance
- This skill will upload your files and use a bearer token (NEMO_TOKEN or an anonymously fetched token) to a third-party domain (mega-api-prod.nemovideo.ai). Before installing or using it, verify the service/operator (homepage, privacy policy, who runs the domain), and avoid sending sensitive or proprietary media. Ask the publisher for a repository or company identity, clarify data retention and sharing policies, and confirm whether the listed config path (~/.config/nemovideo/) is actually required. If you must try it, prefer ephemeral/test content and do not reuse production credentials. The metadata mismatch and lack of a verifiable source are the main reasons for caution.
Review Dimensions
- Purpose & Capability
- okName/description (make and export videos) align with the runtime instructions: uploading media, creating a session, using SSE, and exporting rendered MP4s via the nemovideo backend. The single declared credential (NEMO_TOKEN) is appropriate for an API-backed video service.
- Instruction Scope
- concernInstructions direct the agent to upload user media (up to 500MB) and to POST/GET to https://mega-api-prod.nemovideo.ai for auth, session, upload, export and polling — consistent with the skill purpose but meaningfully exfiltrate user files and metadata to an external service. The skill also prescribes adding attribution headers and re-acquiring anonymous tokens if no NEMO_TOKEN is present. The SKILL.md frontmatter lists a required config path (~/.config/nemovideo/) that is not reflected in the registry metadata (registry lists none) — this mismatch is an incoherence to investigate.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by an installer; runtime behavior will perform network calls only.
- Credentials
- noteOnly one env var is declared (NEMO_TOKEN) which is proportional for a hosted API service. However, SKILL.md frontmatter also references a config path (~/.config/nemovideo/) despite the registry saying no required config paths — an inconsistency. The skill will also generate an anonymous token if none is present (reasonable), but this means media and any generated token will be sent to an external domain.
- Persistence & Privilege
- okalways:false and normal invocation/autonomy settings. The skill does not request persistent or system-wide privileges and doesn't indicate modifying other skills or global agent config.