Skillv1.0.0

ClawScan security

Shotcut · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 6:21 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud AI video editing) matches its runtime instructions and requested credential (NEMO_TOKEN), but there are small inconsistencies and privacy-relevant behaviors (no homepage/source, SKILL.md asks for a config path not declared in the registry, and the skill requires sending uploaded media to an external API) that warrant caution before installing.
Guidance: This skill appears to do what it says (upload your video to a NemoVideo backend, run cloud edits, return a download). Before installing or using it: (1) verify you trust the NemoVideo endpoint (no homepage or owner info is provided here), (2) understand that uploading media sends your footage to an external service — do not upload sensitive content you wouldn't want stored or processed by a third party, (3) confirm where NEMO_TOKEN comes from and whether using an anonymous token is acceptable, (4) ask the author or registry to clarify the config-path discrepancy (~/.config/nemovideo/ present in SKILL.md but not declared in registry metadata), and (5) test with non-sensitive sample videos first. If you need higher assurance, request a homepage/privacy policy or source repo before proceeding.

Review Dimensions

Purpose & Capability: noteThe name/description describe cloud AI video editing and the SKILL.md contains concrete API endpoints and upload/render workflows that align with that purpose. Requesting a single service token (NEMO_TOKEN) is appropriate. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported none — an internal inconsistency about required config paths.
Instruction Scope: noteRuntime instructions stay focused on connecting to the NemoVideo backend, creating sessions, uploading user-provided media, polling render status, and returning download links. This is within the stated scope. Two items to note: (1) the skill will make network calls to obtain anonymous tokens and to upload user media (expected for a cloud editor), and (2) it instructs reading frontmatter/install path to populate X-Skill-Platform and X-Skill-Version headers — that may require inspecting agent install paths or the SKILL.md file and is a minor privacy/telemetry action.
Install Mechanism: okInstruction-only skill with no install spec or code files presents low install risk — nothing is downloaded or written by an installer.
Credentials: noteOnly one credential is declared (NEMO_TOKEN) and it's the primaryEnv, which is proportional for a cloud editing service. The SKILL.md also describes obtaining an anonymous token when NEMO_TOKEN is absent (network call). The earlier-mentioned discrepancy about a config path in the frontmatter (~/.config/nemovideo/) is unexplained and could imply the skill expects local config files or will look for them; that should have been declared explicitly.
Persistence & Privilege: okThe skill does not request always:true and no elevated or persistent platform privileges are requested. It uses ephemeral session tokens for cloud jobs; jobs may remain on the remote service if you close the client (not a local privilege escalation).