Skillv1.0.0

ClawScan security

Ai Video Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 3:55 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud video-processing integration, but there are a few small metadata inconsistencies and privacy considerations to review before installing.
Guidance: This skill uploads your raw video files and session metadata to an external service (mega-api-prod.nemovideo.ai) and will create/store an anonymous token automatically if you don't provide NEMO_TOKEN. That behavior is consistent with a cloud video-processing tool, but you should: 1) avoid uploading sensitive or confidential footage to an unverified third-party service; 2) prefer setting NEMO_TOKEN yourself (from a trusted account) if you want control over credentials and retention; 3) ask where the token/session is stored (agent-local storage, config file, etc.) and how long it is kept; 4) note the minor metadata mismatch (SKILL.md lists ~/.config/nemovideo/ while registry metadata did not), and consider verifying the service provider or privacy policy before use. If you need higher assurance (who runs the backend, data retention, encryption), seek a skill with a known homepage / vendor or request additional provenance from the skill author.

Review Dimensions

Purpose & Capability: okName/description (AI video processing, upload/export) match the declared need for a single service token (NEMO_TOKEN) and the API endpoints documented in SKILL.md. The declared functionality (accepting video files, starting render jobs, returning download URLs) aligns with the required permission: access to the remote rendering backend.
Instruction Scope: noteSKILL.md instructs the agent to POST uploads and control commands to https://mega-api-prod.nemovideo.ai, generate an anonymous token if NEMO_TOKEN is not set, create and persist a session_id, stream SSE responses, and include attribution headers. These actions are expected for a remote video-processing service, but they do mean user media and derived data will be uploaded to an external service and a token will be created/stored automatically unless the environment already contains NEMO_TOKEN.
Install Mechanism: okInstruction-only skill with no install spec or code to write to disk. Lowest-risk install mechanism; nothing is downloaded or extracted by the skill itself.
Credentials: noteOnly one environment credential is declared (NEMO_TOKEN), which is appropriate for a single backend API. However, SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — a minor inconsistency. The skill will auto-generate and store an anonymous token if NEMO_TOKEN is absent, which is functionally reasonable but affects where and how long credentials are persisted.
Persistence & Privilege: okalways:false and default autonomous invocation are appropriate. The skill instructs storing a session token and session_id for subsequent requests (normal for remote service sessions) but does not request system-wide privileges or to modify other skills.