Skillv1.0.0

ClawScan security

Maker Youtube · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 5:13 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based video-editing service: it needs one service token and uploads user media to the provider's API; nothing in the package tries to access unrelated credentials or systems.
Guidance: This skill appears to be what it claims: it will upload any media you provide to a third‑party service (mega-api-prod.nemovideo.ai) and requires a service token (NEMO_TOKEN). Before installing/use: (1) confirm you trust nemovideo.ai and review its privacy/retention policy, (2) avoid putting sensitive footage or secrets in uploads, (3) prefer using an ephemeral or least-privilege token (the skill can create an anonymous token for short-term use), (4) verify billing/credit implications (anonymous tokens have limited credits), and (5) note the metadata references a local config path (~/.config/nemovideo/) — ask the author how/if that path is used to persist tokens or session data. If you need stronger assurance, request publicly documented service provenance (homepage, docs, or GitHub) before proceeding.

Review Dimensions

Purpose & Capability: noteThe name/description (YouTube video maker) matches the declared requirement for a NEMO_TOKEN and the API endpoints in SKILL.md: session creation, upload, render, credits, etc. Minor mismatch: metadata lists a config path (~/.config/nemovideo/) though the visible instructions do not explicitly tell the agent to read/write that path; this is plausibly for storing tokens/sessions but is not documented in SKILL.md.
Instruction Scope: okThe SKILL.md contains concrete API calls and SSE handling and limits itself to (a) creating/using a token, (b) creating a session, and (c) uploading user-provided media to the provider's endpoints. It does not instruct the agent to read arbitrary files or other environment variables beyond NEMO_TOKEN. Behavior that involves sending files to the remote service is expected for this purpose and is explicitly documented.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written to disk by an installer in the skill bundle.
Credentials: noteOnly one credential is required: NEMO_TOKEN (primaryEnv). SKILL.md also documents creating an anonymous token via the provider's anonymous-token endpoint if no token is present. Requiring a single service token is proportionate; however, because the skill will upload user media to a third-party domain, users should treat NEMO_TOKEN as sensitive and confirm they trust the service.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated agent-wide privileges. It does instruct saving session_id and using tokens for the session, which is normal for this kind of integration. There is no instruction to modify other skills or global agent config beyond its own session/token use.