Skillv1.0.0

ClawScan security

Editorjs Highlight · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 16, 2026, 8:59 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a cloud video-highlight service, but there are inconsistencies (declared vs. frontmatter config paths) and it will automatically obtain/store tokens and upload your videos to an external API — verify you trust that service before installing.
Guidance: This skill will upload your videos to mega-api-prod.nemovideo.ai and needs a NEMO_TOKEN to authenticate. If you don't provide one, the skill will request an anonymous token from the service and may persist session info (the SKILL.md references ~/.config/nemovideo/). Before installing: 1) confirm you trust nemovideo.ai and their privacy/retention policies for uploaded media; 2) consider providing your own token rather than letting the skill auto-generate and store one; 3) ask the publisher to explain the registry metadata mismatch (registry said no config paths but the skill frontmatter lists ~/.config/nemovideo/); and 4) be aware that uploaded content will leave your device — do not send sensitive videos unless you accept that transmission and storage.

Review Dimensions

Purpose & Capability: noteThe declared primary credential (NEMO_TOKEN) and the API endpoints in SKILL.md align with a cloud video-processing service; requesting a token and using it to upload and render videos is coherent with the stated purpose. However the registry metadata earlier said 'Required config paths: none' while the SKILL.md frontmatter lists a config path (~/.config/nemovideo/), which is an internal inconsistency and suggests the skill may read/write a local config directory that wasn't declared.
Instruction Scope: concernInstructions tell the agent to obtain anonymous tokens, create sessions, upload user-provided video files to https://mega-api-prod.nemovideo.ai, poll render jobs, and return download URLs. Uploading user media to a third-party cloud is expected for this service but is sensitive — the skill also instructs the agent to 'not display raw API responses or token values', implying tokens will be stored/kept hidden. There is no unexpected file-system or unrelated credential access in the visible instructions, but automatic token acquisition and persistent session storage broaden the skill's scope and should be explicit to users.
Install Mechanism: okInstruction-only skill with no install spec or code files. This minimizes install-time risk (nothing downloaded or executed locally).
Credentials: noteOnly one environment variable is declared (NEMO_TOKEN), which is appropriate for a cloud API. But SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) implying local storage/read/write, which was not declared in registry metadata — this mismatch should be clarified. The skill will auto-generate and use an anonymous token if NEMO_TOKEN isn't set, which may result in the agent contacting the external API and persisting credentials/session info.
Persistence & Privilege: noteThe skill does not request always:true and has no install-time persistence. However the frontmatter/configPaths indicate it may read/write ~/.config/nemovideo/ to store session state or tokens; storing tokens/config on disk increases persistence beyond a single run and should be explicit. Autonomous invocation (disable-model-invocation=false) is normal but combined with automatic token generation and upload capability increases blast radius if the endpoint or token handling is abused.