Skillv1.0.0

ClawScan security

Viral Reels · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 5:35 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (uploading your videos to an external cloud service and auto-provisioning tokens) matches its stated purpose, but there are a few inconsistencies and privacy/ownership concerns you should understand before installing.
Guidance: Before installing, consider these points: - This skill uploads your videos to an external service (mega-api-prod.nemovideo.ai). If your media contains private or sensitive content, do not use the skill until you verify the service's privacy policy and trustworthiness. - There is no homepage or source code linked and the publisher is an opaque ID. If possible, request the vendor/source repo or documentation to verify who operates the backend and how data is stored/retained. - The SKILL.md will auto-request an anonymous token if NEMO_TOKEN is not present. That token grants the skill access to the remote service for up to 7 days (per the doc). Be aware of where that token gets stored and avoid placing long-lived secrets you don’t want shared into NEMO_TOKEN. - There is a small inconsistency: the skill metadata mentions a local config path (~/.config/nemovideo/) even though the registry metadata lists none. Ask the author whether the skill reads local config files and why. - If you proceed, limit the kinds of media you upload (avoid PII/sensitive content), consider creating an account/token with minimal privileges if supported, and monitor network activity/logs the first few times you use it. If you want, I can draft questions to ask the skill publisher (requesting source, data retention policy, and exact scope of token permissions) or suggest safer alternative workflows (local-only editing tools) depending on your needs.

Review Dimensions

Purpose & Capability: noteFunctionality (upload video, render on cloud GPU, return download URL) is coherent with the name/description. Requesting a NEMO_TOKEN for authorization is expected. However, the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch is unexplained. The skill has no declared homepage or source repository and the publisher is an opaque ID, which reduces transparency about who runs the backend.
Instruction Scope: concernInstructions direct the agent to upload user-supplied media to https://mega-api-prod.nemovideo.ai, create sessions, handle SSE streams, poll render status, and return download URLs — all consistent with a cloud render service. This necessarily transmits user files off-device (privacy concern). The skill also instructs the agent to obtain an anonymous token if NEMO_TOKEN is absent (automatic outbound network call). There are no instructions that attempt to read unrelated local files, but the metadata's config path suggests potential local config access that the rest of the doc never references.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. No binaries or package installs requested.
Credentials: noteOnly NEMO_TOKEN is declared as required and is the primary credential — that's proportional to a cloud API-backed video service. The SKILL.md will generate an anonymous token via the service if NEMO_TOKEN is missing (so an admin-supplied token is not strictly required). Consider that any token (anonymous or user-provided) authorizes upload of your media to the remote backend.
Persistence & Privilege: okalways is false, skill is user-invocable and can be called autonomously (default). The skill does not request permanent platform privileges or attempt to modify other skills or system-wide settings.