Skillv1.0.0

ClawScan security

Travel Agency Promo Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 5, 2026, 10:14 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to produce marketing videos but is only marketing copy with no operational instructions and an unexplained required credential (NEMO_TOKEN) plus a mismatched config-path declaration — these inconsistencies warrant caution before installing.
Guidance: This package is mostly marketing text and lacks concrete runtime behavior. Before installing or providing credentials: 1) Ask the maintainer to supply exact runtime instructions (API endpoints, sample requests, what data is sent, and where outputs are stored). 2) Confirm why NEMO_TOKEN is needed, what scope/permissions it requires, and whether a scoped/test token can be used. 3) Clarify whether ~/.config/nemovideo/ is required and what files it contains or reads. 4) Prefer creating a least-privilege token and test in a sandbox account. 5) If you cannot obtain clear, specific documentation of the data flow and token usage, avoid supplying production credentials — treat this skill as incomplete or poorly documented rather than ready for production use.

Review Dimensions

Purpose & Capability: concernThe name/description claim automated creation and export of marketing videos, but there is no code, no install, no required binaries, and no concrete runtime steps for producing video. The single required credential (NEMO_TOKEN) could plausibly map to an external video API, but the SKILL.md provides no explanation of what NEMO is, what API calls will be made, or why a token is required. Overall the requested surface (a token and a possible config path) is not clearly justified by the prose.
Instruction Scope: concernSKILL.md is high-level marketing and use-cases only; it lacks any runtime instructions, commands, endpoints, or data flows. It doesn't show how the agent should use NEMO_TOKEN, what files (if any) are read/written, or where generated content is uploaded. The metadata inside the SKILL.md references a config path (~/.config/nemovideo/) but the registry metadata reported no required config paths — an internal inconsistency.
Install Mechanism: okNo install spec and no code files (instruction-only). That minimizes direct disk-write or arbitrary-download risk, but also means the skill as provided cannot by itself perform video generation — it would need platform-side integration with an external service.
Credentials: noteThe skill requests one env var (NEMO_TOKEN) as primary credential, which is reasonable if it calls an external video API. However, the SKILL.md does not document what token scope is required, where it will be sent, or whether any other credentials/config are accessed. The presence of a config path in the embedded metadata (but not in the registry listing) increases uncertainty about possible filesystem access.
Persistence & Privilege: okThe skill does not request always:true and has no install; it does not ask for persistent system modifications. Autonomous invocation is enabled by default (normal), which combined with the other uncertainties increases potential blast radius but is not by itself a disqualifying issue.