Skillv1.0.0

ClawScan security

Social Copy Generator Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 11:36 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches its description (upload video, call a nemo-video API, return captions/exports), but there are small incoherences and privacy-relevant behaviors (unknown source, mismatched metadata, requirement to probe install paths, creation/storage of anonymous tokens) that you should understand before installing.
Guidance: This skill appears to do what it says (upload video → remote processing → captions/exports), but exercise caution before installing: 1) Source and homepage are unknown — prefer skills from known publishers. 2) The SKILL.md will contact a third‑party API (mega-api-prod.nemovideo.ai) and may upload your video content — do not use with sensitive or private videos unless you trust that service. 3) Provide your own NEMO_TOKEN if you have one; otherwise the skill will create and store an anonymous token (100 credits, 7‑day expiry). 4) The skill asks the agent to probe install paths to set an attribution header — this can reveal local path structure; if that worries you, ask for the skill to be modified to use a fixed platform header or to avoid filesystem probes. 5) Confirm where session tokens are stored and how long they persist; if unclear, test with non-sensitive data first. The mismatched metadata (declared configPaths in SKILL.md but not in registry) is a small red flag — request clarification from the publisher before trusting it with sensitive content.

Review Dimensions

Purpose & Capability: noteThe declared purpose (generate social copy/captioned videos) aligns with the actions described (upload video, create session, SSE for generation, render/export). Requesting a single primary credential NEMO_TOKEN is proportionate. However, the SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) that the registry metadata did not declare — a minor inconsistency in what the skill says it needs versus what was registered.
Instruction Scope: concernInstructions require network calls to https://mega-api-prod.nemovideo.ai (auth, session, SSE, upload, render). The skill instructs the agent to generate/store an anonymous token if NEMO_TOKEN is absent and to persist session_id. It also directs the agent to detect install path (e.g., ~/.clawhub/ or ~/.cursor/skills/) to set an X-Skill-Platform header — this implies probing local paths/environment to determine platform attribution. Probing install paths and persisting tokens are privacy-sensitive actions and are broader in scope than simply mapping user prompts to the remote API.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer according to the provided metadata.
Credentials: noteOnly a single credential (NEMO_TOKEN) is required, which makes sense for a hosted video-processing API. The skill will also create an anonymous token if none is present. The frontmatter mentions a config path (~/.config/nemovideo/) that wasn't listed in registry 'required config paths' — this mismatch should be clarified. The skill does not request unrelated secrets, but it does ask to read/install-paths for platform detection which could reveal local environment structure.
Persistence & Privilege: okalways:false and default autonomous invocation are standard. The skill instructs saving session_id and NEMO_TOKEN-like tokens (if created) for session continuity — this is expected for a remote service but is persistence that you should be aware of. There is no instruction to modify other skills or system-wide settings.