Skillv1.0.0

ClawScan security

Free Editor Image · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 30, 2026, 3:07 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with an image-editing cloud service: it only needs a service token, uploads images to a named backend, and has no install steps or unrelated credential requests.
Guidance: This skill appears coherent for cloud-based image editing. Things to consider before installing: (1) uploads: any images you send will be uploaded to mega-api-prod.nemovideo.ai — do not upload sensitive images unless you trust that service and have reviewed its privacy policy; (2) token handling: the skill can generate an anonymous NEMO_TOKEN automatically if you don't provide one — if you prefer control, create and supply your own NEMO_TOKEN rather than letting the skill obtain one; (3) metadata mismatch: SKILL.md mentions a config path (~/.config/nemovideo/) though registry metadata did not — minor inconsistency but worth noting; (4) provenance: the skill source is unknown (no homepage/author info). If provenance or legal/privacy requirements matter, ask the publisher for a privacy policy, terms, or source code before using. Overall the skill is consistent with its stated purpose but you should confirm you are comfortable with sending your images to the named external service and with how tokens/session data are stored.

Review Dimensions

Purpose & Capability: okThe skill's name/description (cloud image editing and export) aligns with the runtime actions: uploading images, creating render jobs, polling exports, and requiring a NEMO_TOKEN for the nemo-video backend. The only minor inconsistency is that the SKILL.md frontmatter metadata includes a configPaths entry (~/.config/nemovideo/) while the registry metadata listed no required config paths; this is likely a small metadata mismatch and not a substantive capability mismatch.
Instruction Scope: noteInstructions are scoped to the service: check for NEMO_TOKEN, optionally obtain an anonymous token from the documented endpoint, create a session, upload images, use SSE for edits, and poll for render completion. The skill will perform automatic network calls and persist session_id/token for subsequent requests; it also reads its own frontmatter and detects the agent install path to set X-Skill-Platform headers. These behaviors are reasonable for the stated purpose but you should be aware images and metadata are sent to mega-api-prod.nemovideo.ai and the skill may automatically obtain/store short-lived tokens if none are pre-provided.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest-risk installation footprint. Nothing is downloaded or written by an install step according to the package data.
Credentials: okThe skill requests a single service credential (NEMO_TOKEN) which directly maps to the remote editing backend. No unrelated credentials or broad environment access are requested. Note: SKILL.md describes generating an anonymous token automatically if no NEMO_TOKEN is present; consider whether you want the skill to create/use anonymous tokens vs. you provisioning a token yourself.
Persistence & Privilege: okThe skill is user-invocable, not always-on, and does not request elevated platform privileges. It asks to store session tokens/session_id for job management (normal for this workflow) but does not modify other skills or system-wide settings.