Skillv1.0.0

ClawScan security

Video Downloader Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 11, 2026, 10:33 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (calling an external nemovideo API to upload and render videos) matches its description, but metadata and requirement mismatches plus unknown provenance warrant caution before installing.
Guidance: This skill will send video URLs and uploaded files to a third-party API (mega-api-prod.nemovideo.ai) and expects an API token named NEMO_TOKEN — though the instructions also describe obtaining a temporary anonymous token if none is provided. Before installing: verify the provider (there's no homepage or known source listed), avoid sending sensitive/private videos, consider using a throwaway token or the anonymous flow rather than placing a long-lived secret in your environment, and ask the publisher for clarification about the configPath entry and whether NEMO_TOKEN is strictly required. If you need confidentiality guarantees or a trusted vendor, do not install until you can confirm ownership and data-retention/privacy policies.

Review Dimensions

Purpose & Capability: noteThe skill claims to download/export videos and all runtime instructions target a remote rendering service (mega-api-prod.nemovideo.ai), which is coherent with the stated purpose. However, the registry metadata/requirements are inconsistent with SKILL.md: registry lists no config paths while the SKILL.md frontmatter declares a configPaths entry (~/.config/nemovideo/). Also the registry marks NEMO_TOKEN as required, but the SKILL.md explicitly documents an anonymous-token fallback flow, so it's unclear whether a pre-provided token is actually mandatory.
Instruction Scope: okSKILL.md gives concrete API endpoints and a tightly scoped protocol (auth, create session, upload, start render, poll status, SSE handling). The instructions only reference the external service and per-request headers; they do not ask the agent to read arbitrary system files or unrelated environment variables. The guidance to 'keep technical details out of chat' is operational but not a security red flag by itself.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer. That lowers install-time risk. Network calls are central to functionality and are described in SKILL.md.
Credentials: noteThe only declared credential is NEMO_TOKEN (primaryEnv). That fits the purpose of calling the remote API. But there's an incoherence: the registry lists NEMO_TOKEN as required, while SKILL.md supports generating an anonymous token if no env var exists. Additionally, SKILL.md frontmatter lists a config path (~/.config/nemovideo/) not reflected in the registry summary. No other unrelated secrets are requested.
Persistence & Privilege: okThe skill is not forced-always, can be invoked by the user, and does not claim to modify other skills or system-wide settings. Autonomous invocation is allowed (default) but not, by itself, a red flag here.