Back to skill
Skillv1.0.0
ClawScan security
Video Leaderboard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 4:36 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared requirements and runtime instructions largely match its stated purpose (remote video leaderboard/overlay rendering using a Nemo API token), but there are a few mismatches and minor scope/metadata ambiguities you should be aware of before installing.
- Guidance
- This skill appears to do what it says: it uses a Nemo API token to upload clips, run cloud rendering, and return downloadable videos. Before installing or using it: (1) Confirm you trust the API host (mega-api-prod.nemovideo.ai) and understand their data/retention and privacy policies for uploaded videos; (2) Ask the publisher to resolve the metadata mismatch: SKILL.md references ~/.config/nemovideo/ while the registry lists no config paths — ask whether the skill will read local config files and what it stores there; (3) Be aware the skill may probe install paths to set an attribution header — request confirmation it will NOT read other files beyond user-supplied uploads and the optional NEMO_TOKEN; (4) If you are uneasy, avoid setting a permanent NEMO_TOKEN in your environment and instead use a disposable/limited token or the anonymous-token flow; (5) If you need higher assurance, request the skill owner to publish a homepage or source so you can review server-side privacy/retention and any SLA for orphaned render jobs.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (video leaderboard rendering) aligns with the runtime actions (calls to a nemovideo API to upload clips, run SSE generation, and fetch render outputs). Requesting a single service token (NEMO_TOKEN) is proportional. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this is an inconsistency worth clarifying.
- Instruction Scope
- noteInstructions stay inside the video-processing domain: they authenticate, create a session, upload video files or URLs, stream SSE messages, poll renders, and return download URLs. They do instruct the agent to read NEMO_TOKEN if present and to perform multipart uploads from file paths (e.g., -F "files=@/path"). The doc also tells the agent to infer an install path (~/.clawhub/ or ~/.cursor/skills/) to set an attribution header, which implies checking filesystem paths that are unrelated to actual video uploads — this is unexpected and should be clarified.
- Install Mechanism
- okNo install spec or code is provided (instruction-only). That minimizes disk-write and execution risk; nothing is downloaded from external URLs by an installer.
- Credentials
- noteOnly one credential is required: NEMO_TOKEN (declared as primary). That is appropriate for a remote-rendering API. Caveats: SKILL.md claims a config path (~/.config/nemovideo/) in its frontmatter (possible local config/token storage) which is not declared in the registry metadata — potential mismatch. The skill will also generate an anonymous token via the API if NEMO_TOKEN is absent; that behavior is reasonable but means the skill can obtain and store tokens on your behalf.
- Persistence & Privilege
- okalways:false and normal autonomous invocation settings. The skill instructs saving session_id for job tracking (expected). It does not request persistent platform-wide privileges or modifications to other skills.