Skillv1.0.0

ClawScan security

Tiktok With Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 11:28 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are broadly consistent with a cloud-based short-video rendering service, but there are small metadata inconsistencies and clear privacy implications you should consider before uploading content or supplying credentials.
Guidance: This skill appears to do what it says: it uploads your videos to a cloud rendering service (mega-api-prod.nemovideo.ai) and returns edited clips. Before installing or using it: (1) Understand privacy: any video you upload goes to an external service—avoid uploading sensitive or private footage. (2) Tokens: NEMO_TOKEN grants access to that service; only provide a token you trust and ideally with limited scope/expiration. The skill can also obtain a short-lived anonymous token automatically if no env var is present. (3) Metadata mismatch: the SKILL.md mentions a config path (~/.config/nemovideo/) and the runtime will try to detect install location for attribution headers — this is mostly benign but check that the skill doesn't try to read other unrelated files. (4) No install scripts are present, which reduces risk, but the service is external—review nemovideo.ai's privacy/terms if possible. If you need higher assurance, ask the publisher for a homepage or source repo and confirm what data the service stores and how long render jobs/outputs are retained.

Review Dimensions

Purpose & Capability: noteThe skill claims to convert raw video into TikTok-ready clips and only requests a single service token (NEMO_TOKEN) that matches that purpose. Minor inconsistency: the SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this is likely a documentation mismatch but worth noting.
Instruction Scope: okRuntime instructions are focused on interacting with the nemovideo.ai API (session creation, uploads, SSE for editing, render/export polling). They do not instruct reading unrelated system files or unrelated credentials. They do instruct reading the skill's frontmatter and detecting an install path to form X-Skill-Platform attribution, which is reasonable but slightly broader scope than strictly needed for video processing.
Install Mechanism: okNo install script or external downloads — this is instruction-only, so nothing is written to disk by the skill itself during install. That lowers installation risk.
Credentials: noteOnly NEMO_TOKEN is declared as required (primaryEnv). The SKILL.md also describes an anonymous-token flow if no token is present, which is coherent with providing an option to operate without a pre-provisioned credential. The previously noted discrepancy about the optional config path in the frontmatter is the only proportionality oddity.
Persistence & Privilege: okalways is false and the skill doesn't request persistent system-wide privileges. It will make outbound network calls and upload user media to an external cloud service (the intended behavior), but it does not request or modify other skills or system configurations.