Skillv1.0.0

ClawScan security

Video Maker Arabic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 1:24 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's required credential (NEMO_TOKEN), endpoints, and runtime instructions are coherent with a cloud-backed Arabic video creation service; the main risk is that user media and metadata are uploaded to an external service, which is expected behavior for this skill.
Guidance: This skill uploads your videos/images and related session metadata to mega-api-prod.nemovideo.ai and requires an API token (NEMO_TOKEN). Before installing, verify you trust the nemo video service and its privacy/retention policies; avoid uploading sensitive videos if you are unsure. Note the SKILL.md can obtain an anonymous temporary token if NEMO_TOKEN is absent (100 free credits, 7-day expiry). Ask the publisher to clarify the config path usage (~/.config/nemovideo/) and confirm where user data is stored/retained. If you need tighter control, require explicit user consent before any upload and review network activity or use a sandboxed environment for testing.

Review Dimensions

Purpose & Capability: okThe name/description (Arabic video creation with RTL captions) align with the declared credential (NEMO_TOKEN) and the SKILL.md endpoints (nemovideo.ai). One minor inconsistency: the top-level registry metadata said no required config paths, but the SKILL.md YAML frontmatter lists a config path (~/.config/nemovideo/). This is likely a small metadata mismatch rather than functional misalignment.
Instruction Scope: noteInstructions stay within the expected scope: check/use NEMO_TOKEN, obtain an anonymous token if missing, create a session, upload user video/images, start renders, and stream/poll results. This necessarily involves uploading user media and session metadata to mega-api-prod.nemovideo.ai — which is expected for a cloud render service but is a privacy/security consideration. The skill also asks the agent to detect install path to set an attribution header; this implies the agent may read its install location.
Install Mechanism: okNo install spec or code files are present (instruction-only). Nothing will be written to disk by an installer as part of skill installation, which lowers supply-chain risk.
Credentials: okOnly one credential (NEMO_TOKEN) is required and is the expected type for a cloud API. The SKILL.md also references a local config path in its frontmatter (~/.config/nemovideo/), which suggests optional local config access — this should be clarified, but it is not disproportionate to the stated purpose.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated or persistent platform privileges. Autonomous invocation is allowed (platform default) and appropriate for a user-invoked media processing skill.