Skillv1.0.0

ClawScan security

Lyrics Video Maker Free Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 4:52 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared token requirement and API calls are consistent with a remote lyrics-video rendering service; nothing indicates it is trying to access unrelated credentials or install code on the host, but there is a small metadata inconsistency you should check before trusting it with sensitive tokens or copyrighted media.
Guidance: This skill appears to do what it says: it needs a NEMO_TOKEN to call nemovideo.ai endpoints and upload your audio/lyrics for server-side rendering. Before installing: (1) confirm whether you must provide a personal API token or can use the anonymous token flow (anonymous tokens are preferable if you don't trust the service); (2) verify the config-path mention (~/.config/nemovideo/) — clarify whether the agent will read or write files there; (3) avoid supplying high-privilege or reused credentials; (4) be aware you are uploading audio (copyrighted content risks and privacy implications); and (5) if you need stronger guarantees, ask for the vendor/homepage and privacy/security policy, or test with throwaway data/tokens first.

Review Dimensions

Purpose & Capability: okThe name/description (create synced lyric videos) matches the runtime instructions: calls to a nemovideo API, upload endpoints, render/export flow, and use of an API token (NEMO_TOKEN) are expected. One minor inconsistency: the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata earlier listed no required config paths—this could be an oversight but should be clarified.
Instruction Scope: okInstructions are scoped to creating sessions, uploading media, streaming SSE edits, polling render status, and handling credits/errors. They do not instruct the agent to read unrelated system files, global credentials, or user shell history. The skill tells the agent how to obtain an anonymous token and to save session_id; it also warns not to print tokens or raw JSON.
Install Mechanism: okThere is no install spec and no code files—this is instruction-only, which is the lowest install risk. Nothing is downloaded or written to disk by the skill itself in the provided instructions.
Credentials: noteThe only declared credential is NEMO_TOKEN (primaryEnv), which is proportionate to the described API usage. Note the SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) that could imply local token/config access; this conflicts with the registry metadata and should be confirmed. The skill also instructs generating an anonymous token via the service if no NEMO_TOKEN exists.
Persistence & Privilege: okThe skill does not request always:true and does not ask to modify other skills or system-wide settings. Session state (session_id) is kept for the interaction, which is appropriate for the service workflow.