Skillv1.0.0

ClawScan security

Maker Ai Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 1:34 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested network calls and token usage match a video-rendering service, but small manifest/instruction inconsistencies and the lack of a verifiable source/homepage raise caution before installing or allowing file uploads.
Guidance: This skill appears to be a thin connector to an external video-rendering API and will upload whatever images/videos you provide to https://mega-api-prod.nemovideo.ai. Before installing or invoking it, consider: 1) Sensitivity of files you will upload — do not send private/identifying content unless you trust the service. 2) The manifest is inconsistent: the registry says NEMO_TOKEN is required but the instructions auto-acquire an anonymous token; also SKILL.md references a config path that the registry omitted. These mismatches and the missing homepage/unknown source reduce trust — prefer skills from published vendors or verify the API domain and privacy policy. 3) If you want tighter control, set NEMO_TOKEN to a token/account you control (avoid letting the agent fetch an anonymous token automatically) and review network activity. If you need greater assurance, ask the publisher for a homepage/terms or for the skill to be published by a verified owner.

Review Dimensions

Purpose & Capability: okThe name/description (AI video creation) align with the runtime instructions: obtaining/using a NEMO_TOKEN, creating sessions, uploading images/videos, running export/render APIs, and polling for results at https://mega-api-prod.nemovideo.ai. Requested capabilities (upload, SSE, render) are proportionate to the stated purpose.
Instruction Scope: noteSKILL.md gives concrete API flows (anonymous-token, create session, upload, render, poll). It will contact an external backend and upload user media — expected for this purpose. It also instructs detecting install path and reading the skill's YAML frontmatter for attribution (reads local paths like ~/.clawhub/ or ~/.cursor/skills/ and the skill file itself). It does not instruct reading unrelated system secrets or arbitrary files, but it will transmit user files and session tokens to an external service.
Install Mechanism: okInstruction-only skill with no install spec and no code files. No binaries or remote downloads are requested, which limits on-disk installation risk.
Credentials: concernThe registry declares NEMO_TOKEN as required/primary (which fits the service). However, SKILL.md explicitly describes auto-generating an anonymous token if NEMO_TOKEN is absent. There is also a mismatch: registry metadata lists no required config paths, but the SKILL.md frontmatter mentions ~/.config/nemovideo/. These manifest/instruction contradictions are inconsistent and could cause unexpected behavior; otherwise only a single service token is requested (proportionate).
Persistence & Privilege: okNo 'always: true' privilege; default autonomous invocation is allowed (normal). The skill stores session_id for its own requests (expected). It does not request elevated system-wide privileges or modify other skills.