Skillv1.0.0

ClawScan security

Sports Program Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 6:49 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based video editing service: it only needs a service token (NEMO_TOKEN), describes API calls for session/ upload/ render, and has no install or unexpected credential demands.
Guidance: This skill uploads your videos and metadata to an external API (mega-api-prod.nemovideo.ai) and uses a NEMO_TOKEN for authorization. Before installing or using it: 1) Confirm you trust the nemovideo domain and review its privacy/retention policy (what happens to uploaded footage?). 2) If you don’t have a permanent token, use the described anonymous-token flow or a throwaway token for sensitive content. 3) Be aware the agent will send your files to the remote service (don’t upload footage you can’t share). 4) Monitor credit/billing endpoints (the skill exposes a credits API); ensure you understand any rate/charge model. 5) If you’re uncomfortable with the domain or unknown source, don’t provide a long-lived token and consider trimming or redacting sensitive material before upload.

Review Dimensions

Purpose & Capability: okThe skill claims to perform cloud video editing and only asks for a single service credential (NEMO_TOKEN) and an optional config path for nemovideo; the declared env var and API endpoints align with that purpose. No unrelated cloud provider keys or system credentials are requested.
Instruction Scope: noteSKILL.md gives detailed runtime instructions for creating a session, uploading video, streaming SSE, polling renders, and checking credits — all within the stated domain (mega-api-prod.nemovideo.ai). It instructs the agent to generate an anonymous token if no NEMO_TOKEN exists. Minor scope note: it suggests detecting install path to set an attribution header (reading install path would require filesystem access), but the file does not instruct the agent to read unrelated user files or environment variables.
Install Mechanism: okInstruction-only skill with no install spec and no code files. No downloads or package installation are required.
Credentials: okOnly a single credential (NEMO_TOKEN) is required and is the expected credential for interacting with the described API. The skill documents an anonymous-token flow if no preconfigured token exists. No additional unrelated secrets or many environment variables are requested.
Persistence & Privilege: okalways:false (not forced into every agent run). The skill asks to create and keep a session_id for render jobs, which is normal for a remote job workflow. It does not request persistent or system-wide privileges or to modify other skills.