Skillv1.0.0

ClawScan security

From Video Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 7:22 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested credential and runtime actions align with a cloud-based video-editing service; nothing in the instructions asks for unrelated secrets or system-wide access, but the source is unknown and there are small metadata inconsistencies you may want to double-check before uploading sensitive videos.
Guidance: This skill appears to do what it says: upload video files to nemo's cloud render service and return edited output. Before installing or using it: (1) Confirm you trust the endpoint domain (mega-api-prod.nemovideo.ai) and the skill author because uploaded files are sent off-host; avoid sending confidential videos until you verify the service and privacy terms. (2) Note the skill can auto-generate an anonymous NEMO_TOKEN if none is provided — ask how/where that token will be stored (agent memory, logs, or local config). (3) The frontmatter mentions a local config path (~/.config/nemovideo/) even though the registry showed none — verify whether the skill will read/write that directory. (4) If you must protect sensitive content, prefer testing with non-sensitive clips and inspect network requests or logs. If you want more assurance, request the skill's source or a homepage and confirm the API's privacy/security policy.

Review Dimensions

Purpose & Capability: okThe skill claims to run CLI-like video edits on a cloud backend and only requests a single service token (NEMO_TOKEN). The network endpoints, session creation, upload, SSE, and export flows described are all coherent with a cloud video-rendering service.
Instruction Scope: okSKILL.md confines actions to communicating with the nemo backend: create/refresh anonymous tokens, open sessions, upload media, read SSE, poll render status, and return download URLs. It does not instruct reading unrelated system files, arbitrary env vars, or sending data to other endpoints. It explicitly says not to expose tokens or raw API output.
Install Mechanism: okInstruction-only skill with no install spec and no code files—lowest install risk. Runtime behavior is purely HTTP interactions with the stated API host.
Credentials: noteOnly NEMO_TOKEN is declared as required, which matches the described API usage. Minor inconsistency: the frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata shown earlier listed no required config paths. The skill also describes generating an anonymous token if NEMO_TOKEN is missing (reasonable), which means the agent will perform network calls to obtain credentials automatically.
Persistence & Privilege: okalways is false and the skill does not request system-wide changes or access to other skills' configurations. Autonomous invocation is allowed (platform default), which is appropriate for this type of integration.