Skillv1.0.0

ClawScan security

Family Law Attorney Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 5, 2026, 10:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to produce marketing videos for family-law attorneys but is an instruction-only package that references an external (dev-like) API endpoint without declaring credentials or a publisher, and could transmit sensitive client/legal information off-platform — the pieces are inconsistent and deserve clarification before use.
Guidance: Do not install or use this skill until the publisher provides clear answers: (1) Who operates https://mega-api-dev.nemovideo.ai (production vs dev host) and a privacy/security policy? (2) Does the service require and where will it store API keys or other credentials (declare env vars)? (3) Exactly what data will be sent (examples), how long is it retained, and how is it protected? (4) Is there an option to run processing locally or to avoid sending real client PII or case details? Ask for a production API domain and contract/terms for handling attorney-client information; if you plan to test, use only nonsensitive dummy data. If the publisher cannot answer these, treat the skill as risky because it could leak confidential client information to an untrusted third party.

Review Dimensions

Purpose & Capability: noteThe described purpose (creating attorney marketing and explanatory videos) is plausible for an instruction-only skill that calls an external video-generation service. However the SKILL.md includes an explicit apiDomain (https://mega-api-dev.nemovideo.ai) that looks like a development/test endpoint and there is no publisher homepage or contact. The presence of a dev-sounding API host with no declared credentials or provenance is unexpected for a production-facing marketing/video tool.
Instruction Scope: concernAs an instruction-only skill it will rely on network calls to the listed apiDomain. The skill's workflow inherently involves collecting attorney practice details and client outcome stories — potentially sensitive legal or personally identifiable information — and the SKILL.md gives no information about what data is sent, how it's protected, or where it is stored. The skill may therefore transmit confidential client or case details to a third party without declaring that behavior.
Install Mechanism: okThere is no install spec and no code files — lowest-risk delivery method from an install perspective. Nothing is written to disk by an installer.
Credentials: concernrequires.env lists no credentials, but the SKILL.md names an external API domain that would typically require an API key or auth. The absence of declared environment variables or a primary credential is inconsistent with the presence of an external service endpoint; this mismatch suggests either the skill expects unauthenticated calls (unusual) or it omits necessary credential requirements. Additionally, handling of potentially sensitive client narratives is not justified by any declared privacy controls.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated or persistent platform privileges. Autonomous invocation is allowed by default but is not combined here with other explicit elevated privileges.