Skillv1.0.0

ClawScan security

Add Music To Best · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 8:02 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with a cloud video-processing service: it uploads user videos to a remote API and requires a NEMO_TOKEN (or will mint an anonymous one), with no install or excessive local access.
Guidance: This skill uploads any video/audio you provide to mega-api-prod.nemovideo.ai for remote processing and requires a NEMO_TOKEN (or will create an anonymous token with limited credits/7‑day expiry). Before installing: (1) Confirm you trust the nemovideo domain and its privacy/storage policy since media will leave your machine. (2) If you prefer control, set a NEMO_TOKEN in your environment rather than allowing the skill to mint anonymous tokens. (3) Be aware the skill reads its own frontmatter and checks install paths to set attribution headers (it may observe where the skill is installed). (4) Note the minor metadata inconsistency about config path declaration in the SKILL.md frontmatter — benign but worth confirming with the publisher if you need strict guarantees.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (add background music to short videos) matches the runtime actions (upload, create session, render/export) and the single required credential (NEMO_TOKEN). Minor inconsistency: the top-level registry said no required config paths but the SKILL.md frontmatter lists ~/.config/nemovideo/ as a config path.
Instruction Scope: noteRuntime instructions are narrowly scoped to interacting with the nemo backend (session creation, SSE chat, upload, export, polling). They also instruct reading the skill's own frontmatter and detecting install path to populate X-Skill-Platform headers — this requires inspecting local install paths (only the skill file/paths), which is reasonable but worth noting as it reveals install-location information.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk install pattern.
Credentials: okOnly NEMO_TOKEN (primary credential) is requested, which is appropriate for a cloud rendering service. The skill can also auto-obtain an anonymous NEMO_TOKEN by calling the provider's anonymous-token endpoint if no env var is present; that behavior is documented in SKILL.md and is consistent with the stated purpose.
Persistence & Privilege: okThe skill does not request always:true and does not declare modifications to other skills or system-wide settings. It maintains short-lived session IDs/tokens for the remote service only.