Skillv1.0.0

ClawScan security

Royalty Free Music · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 4:08 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent for a cloud video-rendering service: it needs a single service token (NEMO_TOKEN) and calls nemovideo.ai endpoints to upload and render videos; no installs or unrelated credentials are requested.
Guidance: This skill appears to do what it claims: it uploads user video to a nemovideo.ai backend, uses a single service token (NEMO_TOKEN) or an anonymous token it obtains, and returns rendered MP4s. Before installing/use: (1) Confirm you trust https://mega-api-prod.nemovideo.ai and review its privacy/retention policy because you will be uploading video (up to 500MB). (2) Prefer providing a purpose-limited token (not a long-lived privileged secret) and rotate it if possible. (3) Note the skill may read its own SKILL.md and check common install paths and ~/.config/nemovideo/ for attribution/config—if you have sensitive files in those locations, review them first. (4) The registry metadata and the SKILL.md have a small mismatch about config paths—ask the publisher to clarify if the skill will read ~/.config/nemovideo/. Finally, because this skill uploads content to an external service, test with non-sensitive sample videos first.

Review Dimensions

Purpose & Capability: okName and description match the behavior in SKILL.md: the skill uploads video, requests a session/token, posts render jobs, and returns a download URL. Requiring a single service credential (NEMO_TOKEN) is proportionate for a cloud API-based renderer.
Instruction Scope: noteInstructions are explicit about network calls to https://mega-api-prod.nemovideo.ai, SSE handling, upload endpoints, and export polling; they also ask the agent to read the skill's YAML frontmatter and detect install path (~/.clawhub/, ~/.cursor/skills/) for attribution. Reading its own SKILL.md and checking a few well-known install paths is reasonable, but it does involve limited filesystem access (skill file + optional install-path probes). The runtime instructions do not ask for unrelated system files or other credentials.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That reduces risk.
Credentials: noteOnly one environment credential is required: NEMO_TOKEN (primaryEnv). The skill also documents obtaining an anonymous token if none is present. One minor inconsistency: the SKILL.md frontmatter lists a configPaths entry (~/.config/nemovideo/), but the registry-level Requirements summary showed no required config paths—this mismatch is likely benign but should be clarified.
Persistence & Privilege: okThe skill is not always-enabled, does not request elevated or system-wide persistence, and does not attempt to modify other skills. It can be invoked autonomously (platform default), which is expected for skills of this type and is not by itself a red flag.