Skillv1.0.0

ClawScan security

Converter To Mp4 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 27, 2026, 4:48 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based video-to-MP4 converter: it asks for one service token, describes API calls to a rendering backend, and has no install or unrelated credential demands.
Guidance: This skill sends whatever video files you provide to a third-party rendering service (mega-api-prod.nemovideo.ai) and needs a NEMO_TOKEN (or it can create a 7-day anonymous token). Before using it, consider: 1) Do you trust the remote service to store/process your videos (privacy/confidentiality)? 2) If you already have a NEMO_TOKEN, this skill will use it—avoid supplying a token that authorizes more than you intend. 3) Clarify the config-path mention (~/.config/nemovideo/) with the author—it could read or write a local config directory. 4) No local install is required, but the agent will upload files you provide; avoid uploading sensitive content unless you’re comfortable with the service’s policies.

Purpose & Capability: okThe name/description (convert video → MP4) matches the SKILL.md instructions (create session, upload video, request render, download URL). Requiring NEMO_TOKEN and calls to mega-api-prod.nemovideo.ai are coherent with remote rendering.
Instruction Scope: okRuntime instructions only direct the agent to obtain or use an API token, create sessions, upload files, use SSE for streaming responses, poll render status, and return download URLs. They do not instruct reading unrelated system files, other environment variables, or exfiltrating data beyond the rendering service. The skill explicitly instructs not to print tokens or raw JSON.
Install Mechanism: okThere is no install specification and no code files — the skill is instruction-only, which minimizes disk-writing/install risk.
Credentials: noteThe skill only requires one credential (NEMO_TOKEN), which is proportional for a third‑party API. One minor inconsistency: the SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata listed 'Required config paths: none' — this should be clarified (the skill may expect to read or write a per-user config directory). Otherwise no unrelated secrets are requested.
Persistence & Privilege: okalways:false (not force-included). Model invocation is allowed (normal). The skill does not request to modify other skills or system-wide configuration in its instructions.