Skillv1.0.0

ClawScan security

Maker Italiano · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 4:56 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are internally consistent for a cloud-based Italian video creation service: it needs a NEMO_TOKEN, talks to nemovideo.ai endpoints, uploads user media, and contains no unrelated credential or install requests.
Guidance: This skill is coherent with its stated purpose: it uploads your media and interacts with mega-api-prod.nemovideo.ai to create and return videos. Before installing or invoking it, decide whether you want to give it a personal NEMO_TOKEN (which would let it act on your account and use any associated credits). If you prefer not to share an account token, let the skill obtain an anonymous token (it will do so automatically). Be aware that your uploaded media and project data will be sent to the external service (mega-api-prod.nemovideo.ai) — review that service's privacy/terms if this matters. There is no local install or extra system access requested by the skill.

Review Dimensions

Purpose & Capability: okName/description promise (cloud-based Italian-language video creation) matches the instructions: calls a video-processing backend, uploads media, creates sessions, and exports MP4s. The required env var NEMO_TOKEN and the optional config path ~/.config/nemovideo/ are relevant to that purpose and not excessive.
Instruction Scope: noteSKILL.md instructs the agent to read NEMO_TOKEN from the environment (or obtain an anonymous token via POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token), create a session, upload user media, and poll SSE/render endpoints. These actions are necessary for the described capability. Note: the skill will send user files and metadata to an external service (mega-api-prod.nemovideo.ai) and suggests detecting an install path to set an attribution header, which implies the agent may inspect its runtime/install path—this is reasonable but worth being aware of.
Install Mechanism: okInstruction-only skill with no install spec and no files to write/execute. No third-party packages or downloads are requested in SKILL.md.
Credentials: noteOnly NEMO_TOKEN is required (declared as primaryEnv) and an optional config path (~/.config/nemovideo/) is listed. This is proportional to a cloud service client. Users should understand that providing a personal NEMO_TOKEN grants the skill access to that account's credits and data; if absent the skill will obtain an anonymous token on the user's behalf (100 free credits, 7-day expiry).
Persistence & Privilege: okSkill does not request always: true, does not modify other skills or system settings, and only keeps session state (session_id) needed for the video workflow. Autonomous invocation remains enabled by default (expected).