Back to skill
Skillv1.0.0
ClawScan security
Video Producer Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 19, 2026, 11:23 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill largely matches a remote video-processing integration, but there are inconsistencies and a few underspecified behaviors (automatic token creation, session persistence, and a declared config path) that you should understand before installing.
- Guidance
- This skill appears to be a wrapper around a third-party cloud video rendering API and is generally coherent, but before installing consider: 1) The skill will create or use a NEMO_TOKEN (it can auto-request an anonymous token) and will store a session_id — ask where those are stored and for how long; if stored under ~/.config/nemovideo/ your registry metadata should declare that. 2) Uploaded video content is sent to mega-api-prod.nemovideo.ai — confirm the service's privacy, retention, and security policies before sending sensitive footage. 3) The skill may inspect the agent install path to set an attribution header (X-Skill-Platform); verify that doesn’t leak local paths or other sensitive metadata you care about. 4) If you prefer control, pre-create and supply your own NEMO_TOKEN rather than allowing anonymous token issuance. 5) If anything feels unclear (where session/token are saved, retention policy, who controls the backend), treat this as potentially risky and ask the maintainer for clarification or for a documented privacy/security policy before use.
Review Dimensions
- Purpose & Capability
- noteName, description, and declared primary credential (NEMO_TOKEN) align with a cloud video-rendering service. However, the SKILL.md frontmatter references a config path (~/.config/nemovideo/) that is not listed in the registry metadata, which is an internal inconsistency—it suggests the skill may store data on disk or expect on-disk config even though the package metadata did not declare it.
- Instruction Scope
- noteInstructions are narrowly scoped to creating a session, uploading media, streaming SSE edits, polling render status, and downloading outputs. They also direct the agent to auto-obtain an anonymous token when none is present and to "store the returned session_id for all subsequent requests." The skill explicitly instructs not to show raw API responses or token values. The main concern is underspecification: it does not say where session_id or tokens are stored (memory vs. disk), nor how long they persist, and it asks the agent to auto-connect on first use.
- Install Mechanism
- okInstruction-only skill with no install spec or code files — lowest install risk. All network activity is via documented API endpoints; no archives or external binaries are downloaded.
- Credentials
- noteOnly one declared env var (NEMO_TOKEN) which is appropriate for an API-backed video service. Minor issues: the SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) and a requirement to auto-detect an install path to set X-Skill-Platform; these imply the skill may read filesystem/agent install path information not reflected in the registry's declared requirements.
- Persistence & Privilege
- notealways:false (normal). The skill instructs the agent to 'store' session_id and to attempt automatic token acquisition; it is unclear whether these credentials/session IDs are persisted to disk (e.g., under ~/.config/nemovideo/) or only held in-memory. That uncertainty raises a modest persistence/privacy concern but not an elevated privilege or cross-skill modification claim.