Skillv1.0.0

ClawScan security

Generator For Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 4:17 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions generally match a video-generation purpose, but there are mismatches in declared metadata and clear privacy/consent risks (it uploads user files and can obtain anonymous tokens), so you should review before installing or using with sensitive content.
Guidance: This skill appears to do what it says (upload files to a cloud render API and return videos), but it will send any files you give it to a third-party endpoint (mega-api-prod.nemovideo.ai). Before using: - Do not send any sensitive or private files unless you trust that service and have verified its privacy/retention policy. - Note the skill will self-provision an anonymous token if you don't supply NEMO_TOKEN — that still uploads your content to the vendor. If you prefer control, provide your own token only after confirming the vendor and policy. - Ask the publisher for a homepage, source code, or privacy policy (none listed) and clarify the mismatched configPath metadata (~/.config/nemovideo/ appears only in SKILL.md). The mismatch could be benign but should be explained. - If you need strong guarantees (encryption, deletion, no external uploads), do not use this skill until you get explicit vendor documentation. I have medium confidence in this assessment because the skill is instruction-only (no code to scan) and some metadata inconsistencies raise questions; more information from the publisher (source, privacy policy, exact config/FS access needs) would let me raise confidence to high.

Review Dimensions

Purpose & Capability: noteThe name/description (generate videos from images/clips) aligns with the runtime instructions (session creation, upload, render, export). Requiring a NEMO_TOKEN and calling a video-render API is proportionate. However the SKILL.md frontmatter lists a required config path (~/.config/nemovideo/) while the registry metadata shows no config paths — this mismatch is inconsistent and should be clarified.
Instruction Scope: concernThe instructions direct the agent to obtain/use an Authorization token, create sessions, upload user files (multipart uploads or URLs), stream SSE, poll render status, and download results from https://mega-api-prod.nemovideo.ai. Uploading user content to an external third-party service is expected for this functionality but is a material privacy surface — the skill explicitly instructs creating anonymous tokens if no NEMO_TOKEN is present and to keep technical details out of chat. The 'keep technical details out of the chat' guidance increases opacity about network activity. Also the header X-Skill-Platform is to be auto-detected from the install path (instruction implies reading environment/install paths), which could cause the agent to access filesystem/installation metadata unnecessarily.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This minimizes disk write/execution risk since nothing is downloaded or installed by the skill itself.
Credentials: concernThe skill declares a single primary env var NEMO_TOKEN, which is coherent. But SKILL.md also contains metadata requiring a config path (~/.config/nemovideo/) that is not present in the registry 'Requirements' listing — an inconsistency. The skill can also obtain an anonymous token by contacting the vendor endpoint if NEMO_TOKEN is not provided, meaning it can operate without user-provided credentials. Consider whether you trust the external service before allowing uploads or providing a token.
Persistence & Privilege: okalways is false and there is no install/change-to-other-skills behavior. The skill does not request persistent system privilege from the registry metadata; autonomous invocation is allowed by default but is not combined with any unusual privileges here.