Skillv1.0.0

ClawScan security

Voiceover Creator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 6:16 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a cloud-based voiceover service, but there are small metadata inconsistencies and it will upload your videos and create/use tokens on an external service — verify before installing or supplying credentials.
Guidance: This skill will upload your videos and use an API token to control render jobs on mega-api-prod.nemovideo.ai. Before installing or invoking it: 1) Confirm the provider (nemovideo.ai) is trustworthy and intended; there is no homepage/source listed. 2) Prefer using the anonymous-token flow rather than supplying an existing NEMO_TOKEN tied to your account/credits. 3) Ask the author why registry metadata omits the config path referenced in SKILL.md and confirm what (if anything) is written to ~/.config/nemovideo/. 4) Do not upload sensitive or private video content unless you accept that it will be sent to a third-party cloud and may be retained per their policies; ask about retention and deletion. 5) If you need stronger assurance, request the skill source or a verified homepage and/or limit use to ephemeral/throwaway credentials.

Review Dimensions

Purpose & Capability: noteName/description match the runtime instructions: the skill uploads videos, requests a session and renders outputs via nemovideo.ai using a NEMO_TOKEN. However, the SKILL.md frontmatter references a config path (~/.config/nemovideo/) and install-path detection for attribution headers while the registry metadata lists no config paths and no homepage/source is provided. That metadata mismatch and missing provenance are worth confirming with the author.
Instruction Scope: noteRuntime instructions are narrowly focused on session creation, SSE messaging, uploading video files (multipart or URL), polling renders, and returning download URLs. The skill instructs the agent to read this file's YAML frontmatter and detect install paths (~/.clawhub/, ~/.cursor/skills/) to populate attribution headers — this implies limited filesystem checks. There are no instructions to read unrelated system credentials or files, but user videos and any provided token will be transmitted to an external service (mega-api-prod.nemovideo.ai).
Install Mechanism: okNo install spec and no code files (instruction-only). That lowers risk because nothing arbitrary is written to disk by an installer.
Credentials: noteThe declared primary credential is a single token (NEMO_TOKEN), which is appropriate for a cloud render service. The SKILL.md also implements an anonymous-token flow if NEMO_TOKEN is absent. Be aware that any token (anonymous or user-supplied) grants the service ability to create sessions, run jobs, and access uploaded media and account credits; evaluate whether you want to supply an existing long-lived token.
Persistence & Privilege: okThe skill does not request always:true or other elevated platform privileges. It instructs the agent to hold session_id for operations, which is normal for a session-based cloud API.