Skillv1.0.0

ClawScan security

Social Caption Ab · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 25, 2026, 9:15 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with its stated purpose (cloud captioning and A/B caption generation) but there are a few metadata inconsistencies and privacy considerations you should review before installing.
Guidance: This skill appears to do what it says (cloud-based A/B captioning) and only needs one API token, but check these before installing: 1) No homepage or publisher site is provided — verify the vendor (nemovideo / mega-api-prod.nemovideo.ai) and confirm you trust that domain. 2) The skill will upload your videos to an external cloud service (and can create an anonymous NEMO_TOKEN if you don't supply one) — do not use it with sensitive or private media unless you accept that. 3) There's a minor metadata inconsistency: frontmatter references ~/.config/nemovideo/ while the registry entry did not; ask the author to clarify whether any files will be created on disk. 4) If you supply your own NEMO_TOKEN, ensure it was issued by the official service and has appropriate scope; otherwise allow the anonymous token flow but be aware of the 7-day limited token and free-credit behavior. 5) Prefer installing as user-invocable only (do not set always:true) and request a homepage/privacy policy from the publisher before use.

Review Dimensions

Purpose & Capability: okName/description match the runtime behavior: the SKILL.md describes uploading videos and calling a nemo video backend to create captioned A/B renderings. Requesting a single NEMO_TOKEN credential is consistent with a cloud API-backed service. Minor inconsistency: the registry 'Requirements' said no config paths, but the SKILL.md frontmatter metadata includes a config path (~/.config/nemovideo/) — this is unexplained but not critical to the stated purpose.
Instruction Scope: noteThe instructions instruct the agent to look for NEMO_TOKEN and, if absent, obtain an anonymous token by POSTing to https://mega-api-prod.nemovideo.ai and then create sessions, upload video files, start SSE render streams, poll for render completion, and return download URLs. All of that is within scope for a cloud-rendering captioning skill. Note: the skill will upload user videos to an external service and will auto-generate/retain session tokens; it also asks the agent to auto-detect install path for a header value (reading agent environment), which is minor scope creep. There are no instructions to read unrelated system secrets or to exfiltrate other data.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest risk for arbitrary code installation. There are no download/extract instructions or third-party package installs in the SKILL.md.
Credentials: noteThe skill only requires a single credential (NEMO_TOKEN) which is appropriate for a single cloud API. It also contains workflows to obtain an anonymous token automatically if none is provided. The frontmatter references a config path (~/.config/nemovideo/) that is not listed in the registry 'Requirements' — inconsistent but not necessarily malicious. Consider that user video files and any metadata you send will be handled by the external service; that is a privacy risk if your content is sensitive.
Persistence & Privilege: okThe skill is not always: true, is user-invocable, and does not request persistent system-wide privileges. It instructs keeping session_id for operations (expected ephemeral behavior) and does not request modifying other skills or system-wide config.