Back to skill
Skillv1.0.0
ClawScan security
Portugues Editor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 28, 2026, 4:54 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill’s runtime instructions mostly match a cloud video-editing purpose, but small inconsistencies (declared config path in SKILL.md vs registry metadata) and the instructions to auto-generate and silently store/hide tokens merit caution before installing.
- Guidance
- This skill appears to talk to an external video-processing API and needs one credential (NEMO_TOKEN). Before installing: (1) verify the external domain (mega-api-prod.nemovideo.ai) is trusted and acceptable for uploading your videos and metadata, (2) ask the author to explain the config-path discrepancy (SKILL.md mentions ~/.config/nemovideo/ while registry metadata lists none), (3) prefer supplying your own NEMO_TOKEN (if the service supports it) rather than letting the skill auto-generate one, and (4) be aware the instructions explicitly tell the agent not to show raw API responses or tokens — this is reasonable for secrets, but it also means you should trust the service because the skill will hide token values from the user interface. If you need higher assurance, request source/hosting info or a canonical homepage before use.
Review Dimensions
- Purpose & Capability
- noteName/description (Portuguese video editing) aligns with the API endpoints and flows in SKILL.md (upload, SSE, render/export). However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that the registry metadata did not list — this mismatch should be explained (does the skill read/write user config files?).
- Instruction Scope
- noteInstructions are detailed and remain within an editing/exporting workflow (session creation, SSE, upload, export polling). Two items to note: (1) the skill instructs automatic anonymous-token generation if NEMO_TOKEN isn't present, and (2) it explicitly tells the agent not to display raw API responses or token values to users. Both are plausible for a managed backend but give the agent discretion to obtain and hide credentials, which increases the need for trust in the external service.
- Install Mechanism
- okNo install spec or on-disk code — instruction-only skill is lower risk. No downloads or third-party installs are requested.
- Credentials
- noteOnly one credential (NEMO_TOKEN) is required, which fits a remote video-processing service. But SKILL.md also references a config path (~/.config/nemovideo/) that could imply file access not declared in the registry metadata; clarify whether the skill will read/write that path. The skill’s behavior of obtaining a token automatically reduces the need for user-supplied secrets but also means the skill can authenticate to the external service on the user’s behalf.
- Persistence & Privilege
- okalways=false and no claims of modifying other skills or system settings. The skill requires no elevated persistence privileges.