Skillv1.0.0

ClawScan security

Korean Editor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 23, 2026, 8:56 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions match its stated purpose (cloud video editing and Korean subtitles); it asks only for a single service token and uploads user video to a named third‑party API, which is expected for this capability.
Guidance: This skill is coherent for cloud-based Korean subtitle/video editing, but before installing consider: (1) It will upload your raw video and metadata to mega-api-prod.nemovideo.ai — only proceed if you trust that service and understand its privacy/retention policies. (2) The skill needs a NEMO_TOKEN (or will request an anonymous token from the service) — treat that token like an account credential. (3) The agent may check common install paths to build an X-Skill-Platform header; if you dislike any local path inspection, avoid installing. (4) If you care about long-term control, prefer supplying a scoped/dedicated API token (not one tied to unrelated access), and confirm how the service handles deleted/orphaned render jobs and stored media. (5) If you want stronger assurance, verify the domain and service independently (homepage, privacy policy, or official docs) before providing tokens or uploading sensitive footage.

Purpose & Capability: okName/description (Korean subtitle video editing) align with requested artifact: a single service credential (NEMO_TOKEN) and calls to nemovideo.ai endpoints for upload, SSE chat, render/export and polling. No unrelated credentials or binaries are requested.
Instruction Scope: noteSKILL.md instructs the agent to upload user videos and other media to https://mega-api-prod.nemovideo.ai, create/use session tokens, stream edits via SSE, poll for renders and return download URLs — all expected for a cloud render service. It also asks the agent to include attribution headers and to detect the agent install path (e.g., ~/.clawhub/ or ~/.cursor/) to set X-Skill-Platform, which requires checking local filesystem paths; this is not strictly needed for core editing but is limited in scope.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself. Lowest install risk.
Credentials: okOnly one environment variable (NEMO_TOKEN) is required, which maps to the API used. The skill documents anonymous-token creation when a token is absent. No unrelated secrets or broad credential requests are present.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated platform privileges. It instructs saving a session_id for job tracking (normal for asynchronous renders) but does not instruct modifying other skills or system-wide config.