Back to skill
Skillv1.0.0
ClawScan security
Doorstep Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 4:25 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions line up with a cloud video-editing service; nothing appears to be doing unrelated credential access or installing arbitrary code, but there are a few metadata inconsistencies and privacy considerations you should review before using it.
- Guidance
- This skill appears to do what it says: call a remote nemovideo render service to edit and export clips, and it needs a NEMO_TOKEN to operate (or it will request an anonymous token from the service). Before installing/use, confirm you trust the remote host (https://mega-api-prod.nemovideo.ai) because uploading doorstep footage can include sensitive personal data. Ask the author or registry owner to clarify the metadata mismatch (SKILL.md lists ~/.config/nemovideo/ while registry metadata listed no config paths). Also verify where NEMO_TOKEN should come from (are you expected to paste your account token, and does your org allow uploading this type of footage?). If you don’t want the skill to auto-request anonymous tokens, ensure the environment does not expose NEMO_TOKEN or that policy prevents automatic network auth flows.
Review Dimensions
- Purpose & Capability
- okThe skill claims to perform cloud video editing and only declares a single service credential (NEMO_TOKEN) needed to call the backend API. Requiring a token to use a remote render API is proportionate. One inconsistency: the SKILL.md frontmatter lists a configPath (~/.config/nemovideo/), but the registry metadata in the header says no required config paths — this mismatch should be clarified.
- Instruction Scope
- noteAll runtime steps are constrained to the nemovideo API (auth, session creation, upload, render, status). The skill instructs the agent to use NEMO_TOKEN if present or to request an anonymous token from the remote API (POST to https://mega-api-prod.nemovideo.ai). It requires specific attribution headers on every request. No instructions ask the agent to read unrelated files, other env vars, or to exfiltrate data to third parties beyond the stated backend. Note: the skill will generate a client UUID and perform network calls automatically if no token is present—this is expected but worth user awareness.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest-risk install footprint. Nothing is downloaded or written to disk by the skill itself according to the package contents.
- Credentials
- noteOnly NEMO_TOKEN is declared as required and is the primary credential — appropriate for a cloud API. The skill will also generate and use an anonymous token if no NEMO_TOKEN is present. The earlier-mentioned mismatch about configPaths in the SKILL.md frontmatter versus registry metadata should be resolved (why is ~/.config/nemovideo/ listed in frontmatter if registry metadata shows none?).
- Persistence & Privilege
- okalways:false and no indication of modifying other skills or system-wide agent settings. The skill does not request permanent platform-level privileges.