Skillv1.0.0

ClawScan security

Japanese Photo Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 5:12 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly consistent with a cloud photo-to-video service, but there are a few mismatches (undeclared config path in the skill frontmatter, expectations about detecting an install path, and automatic token generation) that merit caution before installing or using it.
Guidance: This skill generally behaves like a cloud photo-to-video client: it uploads your photos to a remote service (mega-api-prod.nemovideo.ai), uses a service token (NEMO_TOKEN), and returns a render URL. Before installing or using it, consider: (1) Privacy/trust — your photos are uploaded to a third party; confirm data retention and sharing policies. (2) Token handling — the skill can auto-generate a short-lived anonymous token; ask where that token and the session_id will be stored (in-memory only, or written under ~/.config/nemovideo/?). (3) The SKILL.md mentions reading/detecting an install path and a config directory (~/.config/nemovideo/) but the registry didn’t list that config path — ask the publisher to clarify whether the skill will read or write local config files. (4) Confirm expected headers and that no other environment variables or credentials are required. If you lean on this skill, review the remote service's privacy/terms and avoid uploading sensitive images until you’re comfortable with those policies.

Review Dimensions

Purpose & Capability: noteName/description (turn Japan photos into videos) matches the API endpoints and actions described (upload, render, export). Requesting a single service token (NEMO_TOKEN) is proportionate. However, SKILL.md frontmatter lists a config path (~/.config/nemovideo/) and an instruction to auto-detect an install path for X-Skill-Platform; the registry metadata shown earlier did not declare a required config path — this mismatch is an incoherence to verify.
Instruction Scope: noteInstructions stay within the stated purpose: authenticate (or get anonymous token), upload media, drive SSE-based editing, poll export status, and return a download URL. They require reading NEMO_TOKEN from environment (explicit) and performing network calls to mega-api-prod.nemovideo.ai. They also specify adding attribution headers and 'auto-detect' platform from install path, which implies reading agent/install path metadata (not fully explained). No instructions tell the agent to read unrelated files or other environment variables, but the implicit install-path detection and the frontmatter config path suggest additional local file access might occur unless clarified.
Install Mechanism: okThere is no install spec and no code files — lowest-risk instruction-only skill. Nothing would be written to disk by an installer from this package itself.
Credentials: concernThe skill declares a single required env var (NEMO_TOKEN), which is appropriate. But SKILL.md frontmatter also lists a config path (~/.config/nemovideo/), which was not reflected in the provided registry-level requirements — this discrepancy could mean the skill expects to read/write that local config (potentially storing tokens or session state). The skill also instructs automatic acquisition of an anonymous token via the service API if NEMO_TOKEN is not set; understand where the obtained token/session_id will be stored and for how long.
Persistence & Privilege: okSkill does not request 'always: true' and does not ask to modify other skills or system-wide settings. It is user-invocable and may run autonomously per platform defaults, which is normal. No elevated persistence is requested in the manifest.