Skillv1.0.0

ClawScan security

Add Music · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 5:03 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with a cloud-based video background-music service, but it will upload user video files and obtain/hold tokens on a third-party backend — review privacy and consent implications before use.
Guidance: This skill appears to do what it says: it uploads video/audio to a third‑party cloud service (mega-api-prod.nemovideo.ai), creates/uses a session token (NEMO_TOKEN) and returns rendered files. Before installing, confirm you trust that external service with your media and metadata, and check its privacy/TOS and retention policy. If you need to keep files local/private, do not grant or allow uploads. Consider requiring explicit user confirmation before any upload of large or sensitive videos and verify where tokens or config files will be stored (~/.config/nemovideo/). Finally, because the skill can be invoked autonomously by the agent, ensure your agent's execution policy matches your expectations about automatic network/file operations.

Review Dimensions

Purpose & Capability: okThe name/description (add background music to videos) lines up with the declared requirements and runtime instructions: it needs a NEMO_TOKEN to call a cloud render API and uses session IDs, upload and export endpoints, and SSE for streaming — all consistent with a cloud-based video processing service.
Instruction Scope: noteSKILL.md instructs the agent to automatically create an anonymous token if NEMO_TOKEN is not present, create sessions, upload user media to mega-api-prod.nemovideo.ai, poll for render status, and stream SSE results. These actions are within the stated purpose, but they involve sending user video/audio files and metadata to an external service and performing network operations automatically on first use. The instructions do not ask to read unrelated system files, but metadata references a config path (~/.config/nemovideo/), which may be used for local config storage.
Install Mechanism: okThere is no install spec and no code files — the skill is instruction-only. No binaries or downloads are requested, so nothing new will be written to disk by an installer.
Credentials: okThe only declared credential is NEMO_TOKEN (primary). The runtime can obtain an anonymous token from the service if the env var is absent; that is a proportionate requirement for a cloud API. The declared config path (~/.config/nemovideo/) is plausible for storing session or token data, though its presence should be expected only if local persistence is needed.
Persistence & Privilege: noteThe skill does not request always:true or system-wide privileges. It can be invoked autonomously (platform default), which means the agent could perform network calls and file uploads without interactive confirmation unless the larger agent policy prevents that. Users should be aware the skill's normal operation includes uploading media to an external backend.