Skillv1.0.0

ClawScan security

BenignApr 16, 2026, 4:47 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud video-processing service that uploads videos, obtains/uses a NEMO_TOKEN, and drives remote render/upload SSE APIs; nothing requested appears unrelated to its stated purpose.
Guidance: This skill will upload whatever video/audio you provide to an external service (mega-api-prod.nemovideo.ai) and use/obtain a NEMO_TOKEN to act on your behalf. Before installing or using it: 1) confirm you trust the external service and its privacy/storage policy (who keeps your uploaded media and for how long); 2) avoid sending sensitive or private video content unless you accept that it will be transmitted to that API; 3) note the skill may persist a session_id and may store a token for subsequent calls — treat the token like a password; 4) the skill reads its own frontmatter and may inspect install paths to populate attribution headers (this requires local file/path access) — if you prefer the agent not to read local paths, do not enable the skill; 5) if you need more assurance, ask the publisher for a public homepage, documentation, or the service's terms/privacy before proceeding.

Purpose & Capability: okName and description match the declared requirements: the skill needs a NEMO_TOKEN and talks to nemovideo endpoints for uploads, session management, SSE chat, and exports — all expected for a cloud video/music-processing integration.
Instruction Scope: noteInstructions remain within the editing/uploading workflow (create/refresh token, open session, upload files, run exports, poll state, read SSE). Minor scope note: the skill instructs the agent to read the SKILL.md frontmatter for attribution headers and to detect install path to set X-Skill-Platform, which requires local file/path inspection; this is plausibly for telemetry but is broader than strictly needed to call the API.
Install Mechanism: okNo install spec or package downloads — instruction-only skill (lowest install risk). Nothing is written to disk by an installer step in the manifest.
Credentials: okOnly one credential is declared (NEMO_TOKEN) and the SKILL.md describes obtaining an anonymous short-lived token if none exists; that matches the service's needs. Metadata lists a config path (~/.config/nemovideo/) which is plausible for storing session or token data but should be considered by users.
Persistence & Privilege: okSkill is not always-included and does not claim elevated platform privileges. It asks to save a session_id (normal for session-based APIs) and may store/refresh a token — expected for a long-running cloud job workflow.