Skillv1.0.0

ClawScan security

Audio Editor Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 3:16 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared cloud integration (NEMO_TOKEN + nemovideo.ai endpoints) is coherent with an online audio editor, but there are provenance and packaging inconsistencies and privacy implications (uploading user audio to an unknown backend) that you should understand before installing.
Guidance: This skill appears to do what it says (upload your audio to a nemo-video backend for cloud editing) but there are two things to consider before installing: (1) Privacy: your audio/video files are uploaded to mega-api-prod.nemovideo.ai — do you trust that operator with potentially sensitive content? There is no homepage or source listed to verify them. (2) Packaging inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that the registry summary omitted, which is a sign of sloppy packaging or an incomplete manifest. If you need this skill, ask the publisher for provenance (official homepage, privacy/retention policy, who operates nemovideo.ai) and confirm how long uploaded media and generated tokens are retained. Avoid using this skill with highly sensitive audio until you verify the backend's operator and privacy practices.

Review Dimensions

Purpose & Capability: noteThe skill description (cloud AI audio editing) matches the runtime instructions and the single required credential (NEMO_TOKEN). However the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) while the registry metadata earlier listed no required config paths — an inconsistency in packaging/provenance. Source/homepage are also missing, so the backend operator is not clearly identified.
Instruction Scope: concernInstructions direct the agent to obtain or create a bearer token, create sessions, upload user files (multipart or URL) and send edits to a remote GPU-backed API at mega-api-prod.nemovideo.ai. Uploading user audio/video to a third-party cloud is expected for this functionality but is a privacy-sensitive action; the SKILL.md says 'Don't expose tokens or raw API output' but does not specify secure storage, retention, or explicit user consent flows. It also says to auto-detect platform from 'install path', which could cause the agent to read environment/path information.
Install Mechanism: okNo install spec and no code files — instruction-only — so nothing is written to disk by an installer. This minimizes supply-chain risk compared with arbitrary downloads or package installs.
Credentials: noteOnly one environment variable is declared (NEMO_TOKEN), which is appropriate for a cloud API client. But SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) not reflected in the registry's 'Required config paths', creating a mismatch. The skill will also generate an anonymous token by calling an API if none is present — this is reasonable but means the agent will perform network calls and retain session IDs.
Persistence & Privilege: okalways:false and user-invocable:true — the skill does not demand permanent inclusion or elevated platform privileges. The instructions mention keeping session_id for operations, but there's no explicit instruction to persist tokens or modify other skills/configurations.