Skillv1.0.0

ClawScan security

Youtube Video Creator Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 10, 2026, 8:10 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with its stated purpose: it calls a Nemovideo cloud API, requires a single NEMO_TOKEN credential (which it can obtain anonymously), and only describes uploading user media to that service.
Guidance: This skill appears to do what it claims: it uploads media to the Nemovideo cloud backend and returns rendered videos. Before installing or using it: (1) confirm you trust the remote service (mega-api-prod.nemovideo.ai) and its privacy policy — any media you upload will be sent there; (2) be cautious about putting sensitive content or credentials into the agent environment; NEMO_TOKEN is the primary credential — treat it like an API key; (3) note the skill can obtain an anonymous token automatically if none is present (100 free credits, 7-day expiry), which still contacts the vendor; (4) if you do not want the skill to access local files, avoid sending file paths and instead provide only content you are comfortable uploading; (5) because this is instruction-only, review runtime behavior when first invoked (it will announce 'Connecting...' and 'Ready!') and revoke any tokens you do not want to remain valid.

Purpose & Capability: okName/description (YouTube video creation) line up with the declared env var (NEMO_TOKEN) and metadata (~/.config/nemovideo). The skill talks to a single backend (mega-api-prod.nemovideo.ai) which is consistent with providing cloud video rendering.
Instruction Scope: noteSKILL.md describes creating sessions, sending SSE messages, and uploading files (multipart or URL). This is expected for a cloud render workflow, but it explicitly references multipart uploads using local file paths (-F "files=@/path"), so the agent will need user-provided files or file handles to upload. The frontmatter lists a config path (~/.config/nemovideo/); the instructions do not require reading arbitrary system files beyond user media, but the presence of that config path suggests the skill could look there if implemented.
Install Mechanism: okInstruction-only skill with no install spec or downloaded code—lowest-risk delivery model. Nothing is written to disk by an installer in the SKILL.md.
Credentials: okRequests a single credential (NEMO_TOKEN) which is the expected API token for the backend. The SKILL.md describes obtaining an anonymous token if none is present, which is consistent. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege: okNo always:true, no install-time modifications, and default autonomous invocation is used. The skill does not request elevated system privileges or access to other skills' configs.