Skillv1.0.0

ClawScan security

Viral Title Generator Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 12:06 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (cloud video/title generation) mostly matches its requirements, but there are inconsistencies and privacy concerns — it will obtain/use tokens and upload user videos to an external API whose provenance is unclear and the SKILL.md asks the agent to hide token values and may reference a user config path that wasn't declared.
Guidance: This skill appears to be what it claims (cloud title/video processing) but has ambiguous and potentially privacy-sensitive behaviors you should confirm before installing: 1) It uploads your video files to https://mega-api-prod.nemovideo.ai — only use it for content you are comfortable sending to a third party. 2) The SKILL.md will auto-create an anonymous token if you don't provide one; ask whether that token and any session_id are stored on disk (and where) and for how long jobs/files are retained on their servers. 3) The frontmatter mentions ~/.config/nemovideo/, but the registry listed no config paths — ask the maintainer to explain and to remove any unnecessary file-system access. 4) The instructions request the agent to hide raw API responses and token values from the user — request transparency or prefer to supply your own token. 5) Because the skill source/homepage is unknown, prefer not to use it with sensitive or private video content until you can verify the service's operator and privacy policy. If you decide to proceed, set a token you control (if possible), test with non-sensitive sample videos, and ask the publisher to reconcile the metadata/configPath inconsistency and explicitly document storage/retention and data-handling practices.

Review Dimensions

Purpose & Capability: noteThe stated purpose (generate viral titles and render/export videos) aligns with calls to a video-processing backend and the single required credential NEMO_TOKEN. However: (1) the registry metadata shown earlier states no required config paths, while the SKILL.md frontmatter lists ~/.config/nemovideo/ (inconsistency), and (2) the skill's source and homepage are unknown, so the external endpoint (mega-api-prod.nemovideo.ai) cannot be validated from the registry data.
Instruction Scope: concernRuntime instructions tell the agent to automatically obtain an anonymous token, create sessions, upload user video files (up to 500MB), and keep token values hidden from users. Uploading user videos to a third-party API is expected for this service, but the instructions also instruct the agent not to show raw API responses or tokens (which reduces transparency) and reference storing session_id for subsequent requests without specifying where/how (in-memory vs disk). The SKILL.md frontmatter requires attribution headers and detection of install path, which implies the agent may inspect its environment/paths.
Install Mechanism: okThere is no install spec and no code files — this instruction-only skill does not install packages or write archives to disk by itself, which is low-risk from an install perspective.
Credentials: noteThe skill declares a single required credential (NEMO_TOKEN), which is proportionate to a hosted video-processing service. Caveats: the SKILL.md instructs the agent to auto-generate and use an anonymous token if NEMO_TOKEN isn't provided (so the agent can operate without user-supplied credentials), and the frontmatter's configPaths (~/.config/nemovideo/) introduces potential access to user config files that wasn't reflected in the registry summary — this mismatch should be clarified.
Persistence & Privilege: notealways:false (normal). The skill may persist a session token/session_id for ongoing uploads/exports; the SKILL.md doesn't explicitly say whether those are stored only in memory or written to ~/.config/nemovideo/ (frontmatter suggests that path). Persisting tokens to disk or modifying user config would increase privilege and privacy impact — clarify where session data and tokens are stored and how long they are retained.