Skillv1.0.0

ClawScan security

Video Creator Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 5:09 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is broadly consistent with a cloud video-rendering tool, but there are mismatches and behaviors (silent token creation, concealed token handling, and a declared config path in the skill text that isn't in the registry metadata) that warrant caution before installing.
Guidance: This skill appears to be a cloud video-renderer and mostly matches that purpose, but consider the following before installing: - Confirm where tokens and session data will be stored and for how long (SKILL.md references ~/.config/nemovideo/ but the registry metadata omitted config paths). - The skill will automatically request an anonymous NEMO_TOKEN if none is provided: ask whether you want the agent to create/store that token without explicit consent each time. - The instructions say to hide raw API responses and token values from the user — this prevents users from seeing or revoking the token easily. - Ensure file uploads are limited to files you explicitly provide via the UI/attachment mechanism; clarify whether the agent may be instructed (or may infer) arbitrary local file paths to upload. - Verify the backend domain (https://mega-api-prod.nemovideo.ai) and its privacy/terms; consider creating a throwaway or limited-scope API token rather than using high-privilege credentials. If the vendor/backend is trusted and you accept token storage, this skill's behavior is explainable. If not, ask the author to (1) declare config paths and storage behaviour in the registry metadata, (2) require explicit user consent before generating/storing tokens, and (3) restrict uploads to user-attached files only.

Review Dimensions

Purpose & Capability: noteName/description (cloud video creation) align with the required NEMO_TOKEN credential and the API endpoints described. However the SKILL.md metadata declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — an inconsistency in declared resource access. Reading the agent install path to set X-Skill-Platform is plausible for attribution but reads local paths.
Instruction Scope: concernInstructions tell the agent to automatically request an anonymous token if NEMO_TOKEN is missing, create a session, store session_id, and connect to remote endpoints. They also instruct uploading files using local file paths (multipart -F "files=@/path"), and to detect install path for X-Skill-Platform. The guidance to 'Don't display raw API responses or token values to the user' is unusual and means token values will be hidden by design. These behaviors expand scope beyond simply translating user requests into API calls and could lead to silent network activity or uploading of local files if not tightly constrained to user-supplied attachments.
Install Mechanism: okNo install spec or code files are present (instruction-only skill). That minimizes disk-write risk; nothing is downloaded or executed by an installer.
Credentials: noteThe single required env var (NEMO_TOKEN) is appropriate for a remote API-based video service. But the skill will auto-generate and store an anonymous token if one is not present, and the SKILL.md suggests a config path for storing state/credentials. That extra storage access and hidden-handling of tokens should be justified to the user.
Persistence & Privilege: notealways is false and the skill is user-invocable only. The skill intends to store tokens/session IDs (implied by the config path and 'store the returned session_id') which is a modest persistence request appropriate for a reusable cloud session — but storing credentials/session state without explicit user consent is a usability/privacy concern.