Skillv1.0.0

ClawScan security

Voiceover For Videos · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 22, 2026, 5:07 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud video-voiceover service, but there are small metadata inconsistencies and it will upload user videos to an external API — verify you trust that service before using it.
Guidance: This skill appears to do what it says: it uploads your video to a third-party API (mega-api-prod.nemovideo.ai) to add AI narration. Before installing or using it: 1) Confirm you trust the NemoVideo service and its privacy/storage/retention policy — uploaded videos and transcripts will be sent to their servers. 2) Note that if you don't supply NEMO_TOKEN the agent will request an anonymous token from the endpoint; understand what account/credits/expiry that grants. 3) Ask the publisher to clarify the metadata mismatch (the frontmatter references a config path ~/.config/nemovideo/ but the registry reported none). 4) Avoid uploading sensitive or private videos unless you've verified data handling and retention. 5) If you need stricter control, require that the skill not run autonomously or that network calls be manually approved.

Review Dimensions

Purpose & Capability: okName/description (AI voiceover for videos) aligns with required credential (NEMO_TOKEN) and the API endpoints described for uploading, rendering, and exporting video. The skill expects a remote rendering service (nemovideo) which fits the stated purpose. Note: the skill frontmatter declares a config path (~/.config/nemovideo/), but the registry metadata shown earlier listed no required config paths — this mismatch should be clarified.
Instruction Scope: noteSKILL.md stays within the stated scope: connect to the remote nemo-api, create/use a token, create a session, upload video files, stream SSE responses, and poll render status. It instructs the agent to read the SKILL.md YAML frontmatter at runtime and to detect installation platform by probing install paths (~/.clawhub/, ~/.cursor/skills/), which requires limited filesystem access. There are no instructions to read unrelated system files or to exfiltrate arbitrary data, but the skill will upload user-supplied media to an external service — consider privacy implications.
Install Mechanism: okInstruction-only skill with no install spec and no code files — low install risk. Nothing is downloaded or extracted by the skill itself.
Credentials: noteOnly one credential is required: NEMO_TOKEN (primary credential). That is proportionate to a cloud API service. However, the SKILL.md frontmatter also references a config path (~/.config/nemovideo/) which was not listed in the registry's required configPaths — this inconsistency should be clarified. The skill will create an anonymous token via the nemovideo auth endpoint if NEMO_TOKEN is not set.
Persistence & Privilege: okNo elevated platform privileges requested (always:false). The skill operates by calling a third-party API and saving session_id/token locally for the session; it does not request to modify other skills or agent-wide config. Note: autonomous invocation is allowed (default) and combined with network access means the skill can autonomously upload files to the external service when invoked — review expected behaviors before enabling autonomous runs.