Skillv1.0.0

ClawScan security

Video Ai Discord · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 7:31 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's network actions and requested token are coherent with a cloud video service, but metadata inconsistencies and vague storage/auto-auth behavior warrant caution before installing.
Guidance: This skill appears to be a thin client for a cloud video service (calls to mega-api-prod.nemovideo.ai and a NEMO_TOKEN are expected). Before installing, ask the publisher these questions or take these precautions: - Confirm the config path: does the skill read or write ~/.config/nemovideo/? The registry and SKILL.md disagree — ask which is accurate. - Ask where generated anonymous tokens and session_ids are stored and for how long; insist they not be persisted to world-readable files. - Verify the backend domain (mega-api-prod.nemovideo.ai) and the service's privacy policy and data retention for uploaded videos (sensitive content risk). - Request that the agent prompt you before auto-creating tokens or starting uploads (avoid silent network activity). - If you want minimal risk, test first with non-sensitive short videos and no account-binding actions; consider revoking the anonymous token after testing if possible. If the publisher cannot clarify where credentials/config are stored and why the config path is needed, treat the skill as higher risk and avoid installing it.

Review Dimensions

Purpose & Capability: noteThe name/description (cloud video editing for Discord) matches the declared need for a service token and the API endpoints described. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata presented to you showed no required config paths — this mismatch is an incoherence that should be clarified.
Instruction Scope: noteRuntime instructions are mostly scoped to uploading files, streaming SSE, rendering jobs, and credentialed API calls to mega-api-prod.nemovideo.ai — all expected for this purpose. The skill instructs the agent to auto-acquire an anonymous token if NEMO_TOKEN is absent and to store a session_id; it also derives attribution headers from install paths. The SKILL.md does not specify where or how tokens/session IDs are persisted (memory vs disk), which is important for privacy/security.
Install Mechanism: okThere is no install spec and no code files (instruction-only), so nothing is downloaded or written to disk by an installer — this lowers risk compared to skills that install binaries or archives.
Credentials: concernThe only declared credential is NEMO_TOKEN (primaryEnv), which fits the stated cloud service. But the SKILL.md metadata references a local config path (~/.config/nemovideo/) that was not declared elsewhere, and the instructions ask the agent to generate/store anonymous tokens automatically. Both facts raise proportionality questions: why would a simple editing skill need a local config path, and where/how will generated credentials be stored?
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated platform privileges. It does instruct an automatic first-time connection to the backend (expected for convenience), but that means network activity and credential creation can occur without an explicit per-use consent unless the UI prompts the user.