Skillv1.0.0

ClawScan security

Music Video Maker Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 8, 2026, 7:08 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with its stated purpose (cloud-backed video generation) but it will make network calls, upload user files, and persist session state — consider privacy and token management before installing.
Guidance: This skill appears to do what it says: it calls a nemo-video backend to analyze audio/lyrics and produce video assets. Before installing, consider: (1) Privacy — the skill uploads user files (audio/video) and sends them to https://mega-api-prod.nemovideo.ai. Do not upload sensitive content you do not want transmitted. (2) Token handling — it will use NEMO_TOKEN if supplied, or obtain an anonymous token automatically; ask where session IDs/tokens are stored and revoke them if needed. (3) Trust & provenance — the skill's source/homepage are unknown; verify the nemovideo.ai service and its privacy/terms if you rely on it. (4) Prefer supplying your own token if you want control, and avoid keeping long-lived credentials in shared environments. If you need more assurance, request the skill's source code or an official publisher/homepage before installing.

Review Dimensions

Purpose & Capability: okThe skill is a cloud-backed music-video generation helper. Requesting a single NEMO_TOKEN and a config path under ~/.config/nemovideo/ is consistent with calling a nemo-video API backend. No unrelated credentials or binaries are requested.
Instruction Scope: noteSKILL.md instructs the agent to automatically connect to the nemo API on first use (obtain an anonymous token if NEMO_TOKEN is missing), create sessions, send SSE requests, and upload files/URLs to the remote service. These actions are expected for a video-generation service, but they do mean the skill will (1) perform outbound network calls without further prompting, (2) upload user-provided files or local paths to an external host, and (3) read its own frontmatter and detect install paths for attribution headers. The instructions explicitly say not to display raw API responses or tokens to users.
Install Mechanism: okThere is no install spec and no code files — this is instruction-only, so nothing is written to disk by an installer. Lowest install risk.
Credentials: noteOnly NEMO_TOKEN is declared as required (primary credential), which aligns with the described API. The skill will generate an anonymous token if none is provided, and it references a config path (~/.config/nemovideo/) where session state may be stored. This is proportionate to the backend usage, but it means credentials/tokens and session IDs may be created and persisted by the skill unless the agent/user manages them explicitly.
Persistence & Privilege: notealways:false and default autonomous invocation are set (normal). The skill instructs storing a returned session_id for subsequent requests; it does not explicitly say where or how long, so session tokens may be persisted. The skill does not request system-wide privileges or modify other skills' configurations.