Skillv1.0.0

ClawScan security

Ai Video Marketing Automator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 1:48 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a cloud video-rendering service, but there are inconsistencies and privacy/operational concerns you should know before installing or using it.
Guidance: This skill appears to be what it says — a cloud-based video rendering helper — but exercise caution before installing or using it. Key points to consider: - Data privacy: any video you upload will be sent to https://mega-api-prod.nemovideo.ai. Do not upload sensitive or confidential footage unless you trust that domain and its operator and have reviewed their privacy/terms. The skill's owner is unknown. - Token behavior: the metadata declares a required NEMO_TOKEN, but the instructions will auto-request an anonymous token if none is present. That automatic flow is not inherently malicious but is inconsistent with the declared requirements; clarify whether you must supply your own token or if the skill will always create/hold ephemeral tokens. - Filesystem access: the instructions ask the agent to detect install paths (e.g., ~/.clawhub, ~/.cursor/skills/) which implies reading locations under your home directory. If you want to limit exposure, avoid running this skill in environments with sensitive files or use sandboxes. - Verify the service: the API host (mega-api-prod.nemovideo.ai) is not documented in the skill's source/homepage. If you rely on this service for business or sensitive content, ask the skill author for official documentation, privacy policy, and ownership details. If you decide to proceed: prefer providing your own service credentials only if you trust the operator, review what files you upload, and consider testing with non-sensitive sample videos first. If you want a higher-assurance option, request a self-hosted or open-source alternative from the author.

Review Dimensions

Purpose & Capability: noteName/description match the runtime instructions: it uploads user video, creates sessions, and requests renders from a remote GPU backend (mega-api-prod.nemovideo.ai). The single required credential (NEMO_TOKEN) is appropriate for a cloud service. However, metadata declares NEMO_TOKEN as required yet the instructions include an automatic anonymous-token flow (inconsistency). The skill also expects to detect install-paths (~/.clawhub, ~/.cursor/skills/) for X-Skill-Platform attribution but those paths were not declared in the configPaths metadata.
Instruction Scope: concernSKILL.md instructs the agent to upload user-supplied video to an external API, create sessions, poll for render status, and post files/URLs — which is expected for this purpose. Concerns: it reads filesystem install paths to set X-Skill-Platform (access to user home dirs), and it instructs generating/storing/using an anonymous token when NEMO_TOKEN is absent despite NEMO_TOKEN being listed as required. The skill will transmit user video and session state to a third-party endpoint — users should understand that uploaded media and metadata leave their machine.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is written to disk by an installer. This is the lowest installation risk surface.
Credentials: noteOnly NEMO_TOKEN is requested, which is proportionate for a cloud API. But there's a mismatch: metadata marks NEMO_TOKEN required while the instructions implement an anonymous-token acquisition flow (network call to get a short-lived token). No other credentials are requested, which is appropriate.
Persistence & Privilege: okalways is false and there is no install persistence. The skill can be invoked autonomously (platform default) but it does not request elevated persistent privileges or modify other skills' configs.