Skillv1.0.0

ClawScan security

Video Runcomfy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 7:06 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with its stated purpose (uploading and processing videos via the nemovideo backend); it is instruction-only and asks only for a single service token, but you will be uploading media to an external service you should trust.
Guidance: This skill appears coherent with its stated purpose, but note: it will upload any video you provide to an external service (mega-api-prod.nemovideo.ai). Only install/use it if you trust that service or are willing to test with non-sensitive footage. The skill will accept either your own NEMO_TOKEN or obtain a 7-day anonymous token for you — treat that token like a credential. Because this skill is instruction-only, there is no bundle-of-code to inspect; if you want stronger assurance, ask the publisher for a privacy policy or official homepage, or test with a short, non-sensitive clip first.
Findings: [no-regex-findings] expected: The static scanner found no code to analyze because this is an instruction-only skill (only SKILL.md). Network/API usage is implemented by the instructions rather than code files.

Review Dimensions

Purpose & Capability: okName/description, declared env var (NEMO_TOKEN), declared config path (~/.config/nemovideo/), and the SKILL.md all describe a single backend service (mega-api-prod.nemovideo.ai) for video processing. Nothing required (no unrelated credentials or binaries) appears out of scope for a cloud video-processing skill.
Instruction Scope: okSKILL.md describes session creation, optional anonymous-token acquisition, SSE-based chat, upload, export, polling, and error handling — all directly relevant to coordinating uploads and renders. It does not instruct the agent to read unrelated files or environment variables. It does ask the agent to 'auto-detect' platform from install path (minor filesystem probing) and requires uploading user-provided media to the external API — expected for this purpose.
Install Mechanism: okNo install spec and no code files (instruction-only). This minimizes on-disk execution risk; the skill relies on outbound API calls and user-supplied uploads.
Credentials: okOnly a single credential (NEMO_TOKEN) is required and is declared as primary. The skill documents an anonymous-token fallback flow when NEMO_TOKEN is absent. The declared config path (~/.config/nemovideo/) matches the service and is proportionate.
Persistence & Privilege: okalways is false and the skill does not request persistent/system-level privileges or modify other skills' configs. Autonomous invocation is allowed (platform default) but not combined with other privilege escalations.