Skillv1.0.0

ClawScan security

To Youtube Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 7:04 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions match its stated purpose (uploading and converting videos via a remote rendering service); nothing requested appears disproportionate, but the skill will upload your media and automatically obtain/store a bearer token if you don't provide one, so consider privacy/trust of the backend before use.
Guidance: This skill appears to do what it says: it uploads your video clips to a third-party rendering service (mega-api-prod.nemovideo.ai), may create an anonymous bearer token if you don't supply NEMO_TOKEN, and will return a processed MP4 URL. Before installing or using it: 1) Confirm you trust the nemovideo backend and its privacy/retention policies (you will be sending your media to that service). 2) If you have a paid account, consider supplying your own NEMO_TOKEN rather than letting the skill generate an anonymous token. 3) Be aware the skill will store/use session tokens (bearer tokens) — treat them like passwords and revoke them on the provider if needed. 4) If you are concerned about leaking installation paths, note the skill may auto-detect a platform string for a header (minor info-leak risk). If any of these concerns are unacceptable, do not install or disable the skill's network access.
Findings: [no-code-scan] expected: The scanner found no code files because this is an instruction-only skill (SKILL.md). Absence of code matches the registry metadata and is expected; security-relevant behavior is described in the instructions rather than in code.

Review Dimensions

Purpose & Capability: okName/description (convert clips to YouTube-ready MP4) align with required credential (NEMO_TOKEN), declared config path (~/.config/nemovideo/), and the API endpoints described. No unrelated credentials or binaries are requested.
Instruction Scope: noteSKILL.md instructs the agent to upload user-provided files, create a session, use SSE for edits, and poll a remote render endpoint. This stays within the conversion/editing purpose, but the skill will transmit user media and session tokens to https://mega-api-prod.nemovideo.ai and will create an anonymous NEMO_TOKEN if none is present. The instructions do not ask the agent to read unrelated system files or other environment variables.
Install Mechanism: okNo install spec or code is present (instruction-only), so nothing will be written to disk or downloaded by the skill itself. This is the lowest-risk installation model.
Credentials: okOnly a single credential (NEMO_TOKEN) and an optional config path are declared, which is appropriate for a cloud-rendering service. Note: the bearer token grants the backend control over sessions/exports; the skill will also create and use an anonymous token via the service's anonymous-token endpoint if you don't provide one.
Persistence & Privilege: okSkill does not request always:true and does not modify other skills or system-wide settings. Declared config path is limited to the service's own config directory.