Back to skill
Skillv1.0.0
ClawScan security
Video Creator Job · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 28, 2026, 5:15 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions mainly match a cloud video-rendering purpose, but there are inconsistencies (declared config path only in SKILL.md, install-path detection) and it asks for a network-access token for an external API—review before use.
- Guidance
- This skill appears to do what it claims (cloud video creation) but double-check a few things before installing: - Confirm the source and trustworthiness of the domain (mega-api-prod.nemovideo.ai). If unknown, avoid providing long-lived or high-privilege tokens. - The SKILL.md references a local config path (~/.config/nemovideo/) and asks the agent to detect its install path; ask the publisher whether the skill actually needs to read those filesystem locations and why—this was not declared in the registry metadata. - Prefer using the anonymous token flow for initial testing (it issues a short-lived token) and test with non-sensitive sample videos first. - Don’t store a reusable NEMO_TOKEN that has broader permissions than needed; rotate or revoke it if you later uninstall the skill. - If you need higher assurance, request the publisher’s privacy/security policy and a clear list of what is uploaded/stored and retention/visibility of uploaded media.
Review Dimensions
- Purpose & Capability
- noteThe name/description (AI cloud video creation) aligns with the runtime instructions (upload, SSE, render, export). Requesting a NEMO_TOKEN to call the nemo-video API is proportionate. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) and install-path detection logic (to set X-Skill-Platform) which is not reflected in the registry metadata (which listed no required config paths). That mismatch is an incoherence to clarify.
- Instruction Scope
- noteSKILL.md provides detailed, concrete API workflows (session creation, SSE, upload, export, polling). The instructions stay within video-creation tasks (uploads, edits, polls). Two runtime behaviors to note: (1) it instructs reading the skill file's YAML frontmatter and detecting the agent install path to set attribution headers, which requires filesystem inspection; (2) it instructs generating/using an anonymous token via an external endpoint if NEMO_TOKEN is not provided. Neither is obviously malicious, but both expand the skill's access beyond 'just upload and render' and should be explicit in the registry metadata.
- Install Mechanism
- okNo install spec and no code files — the skill is instruction-only, which minimizes on-disk risk. There are no downloads, packages, or binaries declared.
- Credentials
- noteThe skill only requires one environment variable (NEMO_TOKEN), which is appropriate for calling a third-party API. But SKILL.md frontmatter also references a config path (~/.config/nemovideo/) and asks the agent to detect install location for header attribution; those additional filesystem accesses were not declared in the registry metadata and should be justified. Also confirm what privileges NEMO_TOKEN grants before storing a long-lived token.
- Persistence & Privilege
- okalways:false and normal model invocation settings. The skill does not request permanent presence or system-wide config changes in the SKILL.md. It does instruct saving a session_id for the session lifecycle, which is expected.