Skillv1.0.0

ClawScan security

For Beginners Photo Video Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 12:40 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent for a cloud-based photo→video service, but there are small metadata inconsistencies and the skill will upload user photos and create/store an anonymous API token — you should confirm where tokens/files are stored and that you trust the remote host before installing.
Guidance: This skill is coherent for a cloud photo→video service, but before installing: (1) confirm you are comfortable uploading your photos to https://mega-api-prod.nemovideo.ai and review that service's privacy/terms, (2) decide whether to supply your own NEMO_TOKEN or allow the skill to auto-create an anonymous token (auto-generated tokens carry 100 credits and are valid ~7 days), (3) ask where the token/session will be stored (the SKILL.md mentions ~/.config/nemovideo/ but registry metadata omitted it), and (4) if you need stricter control, provide your own token and verify the skill does not persist secrets to unexpected locations. The metadata inconsistency is not a functional red flag but is worth verifying with the skill author or registry before use.

Review Dimensions

Purpose & Capability: okThe skill is a cloud-based photo-to-video renderer and it asks only for a service token (NEMO_TOKEN) and uses the nemovideo.ai API endpoints it documents. Requiring an API token is appropriate for this purpose. Minor inconsistency: the SKILL.md frontmatter references a config path (~/.config/nemovideo/) for storing state but the registry metadata earlier listed no required config paths.
Instruction Scope: okSKILL.md instructs the agent to upload images, open sessions, use SSE for edits, poll export status, and include the bearer token on requests — all consistent with the stated video-rendering purpose. It also instructs the agent to auto-request an anonymous token if none is present and to avoid showing raw token values to users. These actions involve sending user images and metadata to the external API (mega-api-prod.nemovideo.ai), which is expected but important for privacy.
Install Mechanism: okThis is an instruction-only skill with no install spec or code to download, so there is no installation-time code execution or archive extraction risk.
Credentials: noteOnly one credential (NEMO_TOKEN) is requested, which matches the integration. The skill also documents an optional config path for session/token storage; the registry metadata does not list that path, which is an inconsistency to be aware of. The runtime instructions will generate and persist an anonymous token when none is supplied — you should confirm where that token will be stored (agent storage, environment, or ~/.config/nemovideo/) before proceeding.
Persistence & Privilege: okalways:false and normal autonomous invocation are set. The skill may persist a session/token for up to 7 days (per API behavior) but it does not request elevated system-wide privileges or claim permanent presence.