Skillv1.0.0

ClawScan security

From Music · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 4:19 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with its stated purpose (creating videos from audio) and ask only for a single, service-specific token and the network calls needed to render and return videos.
Guidance: This skill will upload your audio and related metadata to an external service at mega-api-prod.nemovideo.ai and uses a service-specific token (NEMO_TOKEN). If you don't provide a token, it will request an anonymous token from that service (100 free credits, 7-day expiry). Before installing or using: 1) confirm you are comfortable sending your audio to this external service and check its privacy/terms; 2) verify the domain (nemovideo.ai) matches the provider you expect; 3) consider using your own service token (if you have one) rather than relying on anonymous tokens; and 4) monitor credit usage if the service requires payment after freebies.

Review Dimensions

Purpose & Capability: okName/description (create videos from music) align with the declared requirement NEMO_TOKEN, the referenced nemo config path (~/.config/nemovideo/), and the API endpoints in SKILL.md. No unrelated credentials or binaries are requested.
Instruction Scope: okSKILL.md instructs the agent to check NEMO_TOKEN, obtain an anonymous token from the documented nemo API if missing, create a session, upload audio, drive SSE chat, and poll export endpoints. All referenced files, headers, and endpoints are proportional to video generation. The skill does read its own frontmatter and may check install paths to set attribution headers — this is reasonable for attribution and not broad system access. The instructions explicitly advise not to expose tokens or raw API output.
Install Mechanism: okInstruction-only skill with no install spec and no code files. No downloads or archive extraction are performed. Lowest install risk.
Credentials: okOnly a single service-specific credential (NEMO_TOKEN) is declared as required and used. The SKILL.md provides an anonymous-token fallback obtained from the stated API. No unrelated secrets or multiple external credentials are requested.
Persistence & Privilege: okThe skill does not request always:true or system-wide configuration changes. It stores and uses a session_id for operations but does not claim to modify other skills or persist beyond normal session tokens. Autonomous invocation is enabled by default (normal for skills) but not combined with other concerning privileges.