Back to skill
Skillv1.0.0
ClawScan security
Caption Generator For Photo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 17, 2026, 5:24 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's purpose (adding captions and exporting video via a remote NEMO API) is plausible and most requirements line up, but there are inconsistencies and small scope-creep items you should be aware of before installing.
- Guidance
- This skill will upload images and related data to an external service (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN bearer token to operate. Before installing, confirm you are comfortable with your images being sent to that domain and review nemo's privacy/terms. Ask the publisher to clarify the apparent metadata mismatch: SKILL.md references storing config under ~/.config/nemovideo/ and detecting install paths, but the registry metadata lists no config paths — if you prefer tokens not be persisted to disk, ask whether the skill will write the anonymous token/session to your filesystem and where. Finally, verify the API hostname is legitimate (nemovideo.ai) and avoid sending sensitive or regulated images unless you trust that service.
Review Dimensions
- Purpose & Capability
- noteName/description match the actions in SKILL.md: the skill sends images to a remote nemo-video rendering API and returns MP4s. Requiring a NEMO_TOKEN for Bearer auth is proportionate. However the SKILL.md frontmatter also references a local config path (~/.config/nemovideo/) while the registry metadata lists no config paths — this mismatch is unexplained.
- Instruction Scope
- noteInstructions are largely limited to API calls (anonymous token generation, session creation, upload, SSE, render), which is expected. A few instructions imply local detection/writes: deriving X-Skill-Platform by checking install paths (~/.clawhub/, ~/.cursor/skills/) and references to a local config path suggest the agent may inspect the filesystem or persist session/token state. The skill does not ask to read arbitrary unrelated files or other env vars.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This minimizes install-time risk; nothing is downloaded or written by an installer in the bundle itself.
- Credentials
- noteThe only declared required env var is NEMO_TOKEN (primary credential), which is appropriate for an API-backed renderer. However the SKILL.md instructs generating and saving an anonymous token if none exists and the frontmatter mentions a local config path (~/.config/nemovideo/), implying token persistence to disk; that extra storage access is not reflected in the registry metadata and should be clarified.
- Persistence & Privilege
- okalways is false and the skill is user-invocable only. Nothing in the instructions asks the skill to change other skills or system-wide agent settings. The only persistence implied is saving session_id / token for reuse (normal for API clients).