Back to skill
Skillv1.0.0
ClawScan security
Volcengine Ai Audio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 15, 2026, 5:18 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (cloud audio enhancement) fits the network calls and token use, but there are small mismatches and scope creep (reading install/config paths) that are unexplained and worth clarifying before installing or uploading sensitive media.
- Guidance
- This skill appears to do what it says (upload files to a nemovideo backend and return enhanced audio), but a few things merit caution: (1) Confirm the domain (mega-api-prod.nemovideo.ai) and trustworthiness — your uploaded media will be sent there. (2) Ask the skill author why registry metadata and SKILL.md disagree about config paths; the skill may try to read ~/.config/nemovideo/ or detect install paths (~/.clawhub/, ~/.cursor/...) which is outside pure audio processing. (3) Decide whether you’re comfortable the skill will create/use an anonymous token (it can auto-request one) and that tokens are kept confidential. (4) Avoid uploading sensitive audio/video until you verify data retention and privacy policies and the skill's provenance (homepage/owner info). If you need to proceed, prefer providing a dedicated (limited-scope) NEMO_TOKEN and request clarification from the author about the config-path and install-path checks.
Review Dimensions
- Purpose & Capability
- noteThe name/description align with remote GPU audio processing and the skill only requires a single service token (NEMO_TOKEN), which is proportionate. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that is not present in the registry-level metadata shown earlier — that mismatch is unexplained.
- Instruction Scope
- concernRuntime instructions sensibly describe session creation, upload, SSE, polling, and exporting to a nemovideo API. But the skill also instructs the agent to derive an X-Skill-Platform header from the agent's install path (e.g., checking ~/.clawhub/ or ~/.cursor/skills/). Detecting install paths or reading those paths is outside the core job of audio enhancement and could require inspecting user filesystem layout. The skill also auto-generates an anonymous token via a POST call if NEMO_TOKEN is missing — that behavior is expected but involves network calls and ephemeral credential issuance.
- Install Mechanism
- okThis is instruction-only (no install spec, no code files), so nothing is written to disk by a packaged installer. That is the lowest-risk install mechanism.
- Credentials
- noteThe only declared required environment variable is NEMO_TOKEN (primary credential), which is appropriate for a cloud API integration. However, SKILL.md's frontmatter references a config path (~/.config/nemovideo/) even though the top-level registry metadata listed no required config paths; that inconsistency could indicate the skill expects local config files or credentials beyond the NEMO_TOKEN.
- Persistence & Privilege
- okThe skill does not request always:true and does not ask to modify other skills or system-wide configuration. It asks the agent to keep a session_id during operation but does not instruct persistent writes. Autonomous invocation is allowed (platform default) but not a unique risk here.