Skillv1.0.0

ClawScan security

Gif Converter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 3:33 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's actions (uploading user media to a nemo video backend using a NEMO_TOKEN or anonymous token) match its description, but there are small inconsistencies about config path usage and platform detection you should be aware of before installing.
Guidance: This skill uploads files you give it to an external service (mega-api-prod.nemovideo.ai). It will use a NEMO_TOKEN from the environment if present or obtain an anonymous token automatically. Before installing: 1) confirm you trust nemo‑video (privacy of uploaded media); 2) avoid supplying sensitive content unless you control the destination; 3) prefer using an account token you control rather than relying on anonymous tokens; 4) ask the platform whether the skill will be allowed to read ~/.config/nemovideo/ or inspect install paths (the skill's metadata lists that path but the instructions don't clearly use it); and 5) note the skill's source/homepage are unknown — lack of provenance increases risk. If you need higher assurance, request the skill's source or an official integration from the service owner.

Review Dimensions

Purpose & Capability: okThe name/description (GIF → MP4 conversion) align with the runtime instructions: the SKILL.md describes creating a session, uploading files, rendering, and returning a download URL on a nemo video backend. Requesting a NEMO_TOKEN credential is reasonable for this integration.
Instruction Scope: noteInstructions stay largely within the conversion task (auth, session creation, upload, render/poll, download). They require sending user files to https://mega-api-prod.nemovideo.ai and include SSE/video-edit workflows. Minor scope issues: the skill tells the agent to 'detect the install path' to set X-Skill-Platform (which would require checking host paths) and expects attribution headers derived from the skill file — these are implementation details but may cause the agent to inspect filesystem paths or the skill file.
Install Mechanism: okNo install spec or external downloads are provided (instruction-only), so nothing is written to disk by an installer. This is lower risk.
Credentials: noteThe skill declares a single primary env var (NEMO_TOKEN), which fits the stated backend API usage. However metadata also lists a config path (~/.config/nemovideo/) that is not referenced in the SKILL.md instructions — this mismatch is unexplained and could indicate the skill expects to read a local config/token although the runtime instructions prefer an environment variable or anonymous-token flow.
Persistence & Privilege: okalways:false and default autonomous invocation are normal. The skill does not request global/system modifications and does not declare writing other skills' configs. The only extra privilege implied is potential read access to the user's home config path (per metadata), which you should confirm with the platform before granting.