Skillv1.0.0

ClawScan security

How To Add Music To A Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 6:49 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it claims (upload video/audio to a cloud render backend and return a merged video), but there are incoherent requirements around the declared credential and config path that you should understand before installing.
Guidance: This skill will upload any media you provide to mega-api-prod.nemovideo.ai for server-side processing and will include an Authorization Bearer token on requests. Before installing: 1) Confirm you trust nemovideo.ai with your files and any personal information in them (don’t upload sensitive content). 2) Clarify whether you must provide your own NEMO_TOKEN; the metadata says it’s required but the instructions show an anonymous-token flow — if you prefer account-level tracking, supply your token; otherwise anonymous tokens may be used but expire in 7 days. 3) Be aware the skill may inspect your home directory (~/.clawhub or ~/.cursor/skills) to set an X-Skill-Platform header. 4) If you need stronger guarantees (no uploads, local-only processing, or avoid creating remote tokens), do not install. If you want to proceed, consider asking the skill author to remove the misleading 'required env' claim or to document when a persistent token is actually needed.

Review Dimensions

Purpose & Capability: noteThe skill's name and description (merge audio into video on a cloud backend) match the SKILL.md instructions (upload files, create a session, export via nemovideo.ai APIs). However, the registry metadata lists NEMO_TOKEN as a required environment variable even though the instructions include an anonymous-token flow that generates a token if NEMO_TOKEN is not present. That discrepancy is unexplained and unnecessary for the stated purpose.
Instruction Scope: okRuntime instructions stay within the stated purpose: they describe creating/using a session, uploading media, streaming edits via SSE, and polling render status. There are no instructions to read unrelated system files or exfiltrate data beyond the megapi endpoint. The skill does instruct detection of install paths (~/.clawhub/, ~/.cursor/skills/) to populate an X-Skill-Platform header, which requires inspecting the user's home directory; this is scope-adjacent but understandable for attribution.
Install Mechanism: okThere is no install specification and no code files — this is instruction-only. That minimizes disk-write and supply-chain risk.
Credentials: concernMetadata declares NEMO_TOKEN as required (primary credential) and includes a configPaths entry (~/.config/nemovideo/), but the instructions explicitly allow generating an anonymous token if NEMO_TOKEN is missing and do not reference the config path. Requesting a persistent credential while also supporting anonymous issuance is inconsistent. Requiring a named secret in metadata without a clear need is disproportionate and should be clarified.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It will cause outbound network calls to nemovideo.ai and may read the user's home path to detect install location for attribution headers — both are reasonable for this skill's functionality but worth noting.