Skillv1.0.0

ClawScan security

Ai Karaoke Video Maker Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 8:36 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (make karaoke videos) matches its runtime instructions, but there are metadata inconsistencies and privacy-sensitive behaviors (uploading user media to an external API, probing local install paths) from an unknown source that warrant caution.
Guidance: This skill appears to implement a cloud-based karaoke video service and needs a NEMO_TOKEN to upload your media and create videos. Before installing or using it: 1) Verify the service domain and publisher (there is no homepage and the owner is unknown). 2) Understand that your audio/video files will be uploaded to mega-api-prod.nemovideo.ai — do not send sensitive or private media unless you trust that endpoint and its privacy policy. 3) Clarify the config-path discrepancy: SKILL.md mentions ~/.config/nemovideo/ and detecting install paths (reading ~/.clawhub/, ~/.cursor/skills/) — ask the publisher why filesystem probing is needed and what exact paths will be read. 4) If possible, use the anonymous-token flow (throwaway token) instead of a long-lived personal token, and confirm token scope and expiry. 5) Ask the publisher for a homepage, privacy policy, and contact info; absence of these lowers trust. Providing those items or publishing the skill code would increase confidence.

Review Dimensions

Purpose & Capability: noteThe skill's name and description (karaoke lyric video creation) align with the API calls and workflows described in SKILL.md (upload, render, export). Requiring a service token (NEMO_TOKEN) is proportional. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata provided earlier listed no required config paths — that inconsistency should be clarified by the publisher.
Instruction Scope: concernThe instructions direct the agent to upload user audio/video to an external domain (mega-api-prod.nemovideo.ai) and to persist/use a session token and session_id — behavior consistent with a cloud render service but privacy-sensitive. The SKILL.md also instructs the agent to read this file's YAML frontmatter and detect the install path (e.g., checking ~/.clawhub/ or ~/.cursor/skills/), which requires probing filesystem locations in the user's home directory. Reading install-paths to set an attribution header is plausible but is an extra, potentially sensitive filesystem access that should be explicitly justified.
Install Mechanism: okThis is an instruction-only skill with no install spec or bundled code, so nothing will be written to disk by an installer. That minimizes installation risk.
Credentials: noteThe skill requires one credential (NEMO_TOKEN) and uses it for API calls — expected for a third-party cloud rendering service. It also documents an anonymous-token endpoint to obtain a temporary token, which is reasonable for a free/guest flow. Still, the token grants access to upload media and start render jobs, so users should ensure the token is issued by a trusted service and avoid reusing sensitive account tokens. The earlier registry metadata's omission of config paths vs SKILL.md's metadata that references a config path is a discrepancy to resolve.
Persistence & Privilege: okalways is false and the skill does not request system-wide or perpetual privileges. It instructs saving session_id and using the token for API calls, which is normal for a web service integration and does not itself indicate excessive privilege.