Skillv1.0.0

ClawScan security

Tiktok Free Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 12:42 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (TikTok-ready video processing) is plausible, but there are inconsistent and unexplained behaviors in the manifest and runtime instructions (conflicting config/env requirements and automatic token acquisition) that warrant caution before installing or using it.
Guidance: This skill appears to do what it says (cloud-based video editing) but has a few internal inconsistencies you should clear up before use: 1) Confirm whether you must supply NEMO_TOKEN or whether the skill will auto-create an anonymous token — the top-level manifest says NEMO_TOKEN is required but the SKILL.md says it will request one automatically. 2) Ask where session tokens and any downloaded/uploaded files are stored (SKILL.md references ~/.config/nemovideo/ but the registry metadata did not declare config paths). 3) Verify the backend domain (mega-api-prod.nemovideo.ai) and the service's privacy/retention policy before uploading sensitive videos. 4) If you prefer not to let the skill auto-provision credentials, provide a managed API token or avoid using the skill. If you need higher assurance, request the skill author to reconcile manifest vs SKILL.md and provide a privacy/security document explaining token storage, encryption, and data retention.

Review Dimensions

Purpose & Capability: noteThe skill claims to process short videos into TikTok-ready clips and all described runtime API calls target a video processing backend (mega-api-prod.nemovideo.ai), which is coherent with the stated purpose. However, the SKILL.md metadata lists a config path (~/.config/nemovideo/) while the top-level registry metadata reported no required config paths — that's an internal mismatch. Also the manifest lists NEMO_TOKEN as a required primary credential but the instructions describe auto-obtaining an anonymous token if none is present, which is inconsistent with 'required' semantics.
Instruction Scope: noteInstructions direct the agent to upload user media, create sessions, stream SSE chat edits, poll render status, and include authorization and attribution headers on every request. These network operations are expected for a cloud video-processing skill. The instructions also tell the agent to automatically obtain an anonymous token (POST to the service) when NEMO_TOKEN isn't set and to 'store the returned session_id' for subsequent calls — the storage location is not specified. This automatic network-auth behavior and opaque token/session storage are legitimate for the feature but deserve scrutiny (where/how tokens and session IDs are persisted, retention, and disclosure risks).
Install Mechanism: okInstruction-only skill with no install script or code to download. Low install risk because nothing is written by an installer at install time; runtime behavior is purely API calls to a remote service.
Credentials: noteOnly a single credential (NEMO_TOKEN) is declared as required, which is proportionate to a cloud API-based video processing skill. However, the instructions allow the skill to obtain an anonymous token automatically if NEMO_TOKEN is not set — this conflicts with the declared 'required env var' and changes the credential model (pre-provided vs. auto-provisioned). The SKILL.md metadata also references a config path for storing data that is not declared in the registry metadata.
Persistence & Privilege: noteThe skill does not request 'always:true' and is not force-enabled. It instructs the agent to create sessions and 'store the returned session_id' (and implicitly store anonymous tokens), likely in a per-skill config path (~/.config/nemovideo/) implied by SKILL.md metadata. Where these values are stored and how long they persist is unspecified — that persistence combined with networked token usage increases blast radius but is not intrinsically excessive for this functionality.