Skillv1.0.0

ClawScan security

Highlight Editor Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 5:38 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are broadly consistent with a cloud-based video highlight service, but there are mismatches and missing provenance (unknown homepage/backend) and a metadata/config discrepancy that warrant caution before uploading sensitive footage or providing credentials.
Guidance: This skill appears to do what it claims (upload videos, run cloud rendering, return downloads) but exercise caution: 1) The publisher and homepage are unknown — ask for a privacy policy, data retention rules, and where files are stored and for how long. 2) Understand that your uploaded video/audio will be sent to mega-api-prod.nemovideo.ai; avoid uploading sensitive or private footage until you verify the service. 3) Clarify the configPath inconsistency (~/.config/nemovideo/ appears in SKILL.md but not in registry metadata): confirm whether the skill will read any local config files. 4) If you already have a NEMO_TOKEN, ensure it came from a trusted source; otherwise the skill will create an anonymous token with limited credits. If these questions are answered satisfactorily, the skill is functionally coherent; if not, do not install or use with sensitive data.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (cloud video highlight extraction) matches the operations described (upload video, render on cloud GPU, return download URL) and the single required env var NEMO_TOKEN is appropriate. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata indicated no required config paths — that inconsistency is unexplained. Also the skill source/homepage is unknown which reduces confidence in provenance.
Instruction Scope: noteRuntime instructions stay within the editing/export domain: create session, upload files, stream SSE, trigger renders, poll state, and handle credits/errors. They also include an auto-acquire flow for an anonymous token (POST to /api/auth/anonymous-token) which is coherent for anonymous operation. Two things to note: (1) the skill requires adding attribution headers and auto-detecting an install path to set X-Skill-Platform (this may require reading agent environment/install path), and (2) the skill will upload user-supplied video/audio files to an external domain (mega-api-prod.nemovideo.ai) — expected for the feature but high-sensitivity activity for private content.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This minimizes on-disk installation risk; nothing is downloaded or executed locally by an installer.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared and used, which is proportionate to a cloud API integration. The skill will auto-request an anonymous token if none is present. The unexplained presence of a configPath in the SKILL.md frontmatter (but not in registry metadata) is inconsistent and could imply the skill expects to read ~/.config/nemovideo/ — that should be clarified before trusting local config data.
Persistence & Privilege: okThe skill is not always-enabled and uses normal autonomous invocation settings. It stores session_id for the session lifecycle (expected) and does not request system-wide config changes or other skills' credentials.