Skillv1.0.0

ClawScan security

Video Maker Ai Youtube · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 11, 2026, 7:50 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions match its stated purpose (uploading and rendering videos via a Nemo backend), but there are metadata inconsistencies and the skill comes from an unknown source with no homepage — verify the service before giving it credentials or private videos.
Guidance: This skill appears to do what it says (upload video, create renders on a Nemo backend), but exercise caution before installing or providing credentials: 1) The package has no homepage and an unverified owner — confirm the legitimacy of mega-api-prod.nemovideo.ai and the 'NEMO_TOKEN' issuer before supplying real API keys. 2) The SKILL.md allows the skill to obtain an anonymous token automatically if no NEMO_TOKEN is present — this means it will call an external auth endpoint and then send your uploaded media to that backend. Do NOT upload sensitive or private video/audio unless you trust the service and have reviewed its privacy/terms. 3) There's a metadata mismatch about config paths; treat this as a minor red flag and ask the author to clarify. If you need higher assurance, request the skill's source code or an official homepage/documentation and verify the API host and token issuer before use.

Review Dimensions

Purpose & Capability: noteThe name/description (AI video → YouTube-ready MP4) aligns with the runtime instructions (upload, session, render, export endpoints). However the registry metadata at the top said no config paths while the SKILL.md frontmatter claims a config path (~/.config/nemovideo/). The skill requires one credential (NEMO_TOKEN) which is appropriate for a hosted video API, but the upstream host (mega-api-prod.nemovideo.ai) and owner are not verifiable from the package metadata.
Instruction Scope: okSKILL.md limits actions to creating sessions, uploading media, using SSE for edits, polling render status, and returning download URLs. It does not instruct the agent to read unrelated files, other environment variables, or system secrets. It does include logic to mint an anonymous token if NEMO_TOKEN is absent (network POST to an auth endpoint).
Install Mechanism: okInstruction-only skill with no install spec or code files — lowest install risk (nothing is written to disk by an installer).
Credentials: noteOnly a single environment credential (NEMO_TOKEN) is declared as primary, which is reasonable for an API-backed video service. Minor inconsistency: registry summary indicated 'Required config paths: none' while SKILL.md frontmatter lists a config path (~/.config/nemovideo/). No other unrelated secrets are requested.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide privileges or modify other skills. Agent autonomous invocation is allowed (platform default) but not by itself a concern here.