Skillv1.0.0

ClawScan security

Maker Online Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 6:11 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions mostly match a cloud video-exporter: it asks for a single service token and describes only network calls and user-file uploads—however there is a small metadata inconsistency about a config path that you should verify before installing.
Guidance: This skill appears to be what it says: a cloud-based video creator that needs one token (NEMO_TOKEN) to talk to the Nemovideo API and to upload your media. Before installing: confirm you are comfortable uploading your files to https://mega-api-prod.nemovideo.ai and review that service's privacy policy; verify the domain and that HTTPS is used; confirm whether the skill will read or store anything under ~/.config/nemovideo/ (SKILL.md frontmatter mentions this path but registry metadata did not); avoid using the skill with sensitive personal data unless you trust the remote service; and keep your real NEMO_TOKEN secret (the skill can also generate an ephemeral anonymous token if you prefer). If you want greater assurance, ask the skill author to remove or explicitly document any local config access and to explain how/where session tokens are persisted.

Review Dimensions

Purpose & Capability: okName/description (cloud video creation and export) align with the runtime instructions and the single required credential NEMO_TOKEN. The API endpoints (nemovideo domain) and upload/export flows are coherent with the stated purpose. Note: the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) even though the registry metadata listed no required config paths—this discrepancy should be clarified.
Instruction Scope: okSKILL.md instructs the agent to obtain/refresh NEMO_TOKEN (optionally via anonymous-token flow), create sessions, upload user-provided media, stream SSE for interactive edits, and poll export status. All of these actions are within the expected scope for a cloud video-rendering skill. The instructions do not ask the agent to read unrelated system files or other credentials. It does, however, direct uploads of user files to an external service (the intended behavior) and requires the agent to include attribution headers on every request.
Install Mechanism: okNo install spec or code is present (instruction-only), so nothing is written to disk or downloaded by the skill itself. This is the lowest-risk install mechanism and matches the provided SKILL.md.
Credentials: noteOnly NEMO_TOKEN is declared as required (primary credential), which is proportionate to calling the remote API. The SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) that implies the agent might read local configuration to find stored tokens—this was not reflected in the top-level registry metadata and should be confirmed. No other unrelated secrets or credentials are requested.
Persistence & Privilege: okalways is false and the skill does not request system-wide changes. The agent may invoke the skill autonomously (normal default). The skill's instructions say to save a session_id, but do not instruct modifying other skills' configs or system settings.