Skillv1.0.0

ClawScan security

Maker For Marketing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 4:20 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior is consistent with a cloud video-processing assistant: it calls a nemo-video API, uploads user media, and requires a single service token — but there are small metadata/instruction mismatches and some unclear persistence details you should review before installing.
Guidance: This skill appears to do what it says: it uploads user video to a nemo-video backend, processes it, and returns a download link. Before installing: 1) Confirm you trust the endpoint domain (mega-api-prod.nemovideo.ai) and review its privacy/terms because you will upload potentially sensitive media. 2) Ask the skill author to clarify the NEMO_TOKEN metadata vs. the anonymous-token flow (will the skill create and persist tokens on disk or only in-memory?). If you prefer control, provide your own NEMO_TOKEN rather than relying on anonymous tokens. 3) Verify where session_id/token are stored and for how long, and whether uploads may be used by the provider for training. 4) If you manage sensitive content, avoid automatic anonymous-token issuance or use an environment-scoped token and confirm data retention/processing policies.

Review Dimensions

Purpose & Capability: noteThe skill's name and description match the runtime instructions (upload media, request render, download MP4). Requesting a single service token (NEMO_TOKEN) and a config path (~/.config/nemovideo/) is proportionate. One inconsistency: registry declares NEMO_TOKEN as required, but the SKILL.md prescribes an automatic anonymous-token acquisition path if NEMO_TOKEN is not set (so the skill can operate without a pre-provided credential). This looks like sloppy metadata rather than malice.
Instruction Scope: okInstructions are focused on the stated task: authenticate (or obtain anonymous token), create a session, upload files, stream SSE for edits, start renders, poll for status, and return download URLs. The skill only references expected endpoints and the SKILL.md itself for attribution headers. It does not instruct reading unrelated system files or other credentials.
Install Mechanism: okThere is no install spec and no code files (instruction-only), so nothing is downloaded or written by an installer. This is the lowest-risk install model.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared, which is appropriate for a single-service integration. The metadata also lists a config path (~/.config/nemovideo/), which is plausible. The minor concern is the metadata claiming NEMO_TOKEN is required while the instructions describe obtaining an anonymous token automatically — this mismatch should be clarified. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege: noteThe skill asks to store session_id and to use a token for subsequent requests; it does not request always:true or elevated platform privileges. The SKILL.md does not specify exactly where or how the anonymous token or session_id should be persisted (environment variable, agent storage, disk), which is a privacy/operational detail you may want clarified before use.