Skillv1.0.0

ClawScan security

Editor Change Background · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 7:44 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's required credential (NEMO_TOKEN), API endpoints, and upload/export workflow align with a cloud-based background-replacement service — but it will upload user media to an external domain and the SKILL.md frontmatter contains a small config metadata mismatch you should be aware of.
Guidance: This skill will upload any video you send to the external service at mega-api-prod.nemovideo.ai and will use NEMO_TOKEN from the environment (or obtain an anonymous 7-day token automatically). Before installing/using: (1) confirm you are comfortable that your media will be processed by that external service and review its privacy terms; (2) avoid sending sensitive content or secrets in uploaded media; (3) if you don’t want the skill to auto-create anonymous tokens, provide your own NEMO_TOKEN or avoid invoking the skill; (4) note the small metadata inconsistency (SKILL.md claims a config path that the registry metadata did not list) — if this matters for your environment, ask the publisher to clarify. Overall the package is coherent for its stated purpose, but treat uploads and credentials carefully.

Review Dimensions

Purpose & Capability: okThe name/description (replace video backgrounds) match the runtime instructions: upload video, create a session, run render/export, and return a download URL. Requesting a service token (NEMO_TOKEN) and referencing a service-specific config path (~/.config/nemovideo/) is consistent with a hosted API-based renderer. One minor incoherence: the registry metadata reported 'Required config paths: none' while the SKILL.md frontmatter declares a configPaths entry (~/.config/nemovideo/) — likely benign but inconsistent.
Instruction Scope: noteThe instructions are concrete and scoped to the stated task (session creation, SSE chat, upload, export polling). They explicitly instruct uploading user-provided video to https://mega-api-prod.nemovideo.ai and to obtain an anonymous token if no NEMO_TOKEN is present. They also instruct reading this file's YAML frontmatter and checking local install paths to set attribution headers — reading the skill file and probing known install directories is marginally outside pure editing logic but appears intended for attribution; it does require filesystem reads.
Install Mechanism: okNo install spec and no code files (instruction-only) — lowest install risk. Nothing is downloaded or written to disk by an installer step in the package metadata.
Credentials: okOnly one credential is declared (NEMO_TOKEN) and is used to authenticate to the named service; that is proportionate. The frontmatter also lists a config path (~/.config/nemovideo/) which the registry didn't list — this mismatch should be resolved but the config path itself is relevant to the service. The skill does not request unrelated credentials.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide privileges. It will operate over the network and may read local files for attribution, but it does not install persistent agents or modify other skills. Autonomous invocation is allowed by default (normal for skills).