Skillv1.0.0

ClawScan security

Video Maker Guru · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 9:11 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match a cloud video-editing tool, but small inconsistencies and ambiguous runtime behaviors (token handling, config-path metadata, and path detection) merit caution before installing.
Guidance: This skill appears to be a legitimate cloud-based video editor, but review these before installing: 1) The skill uploads whatever video you provide to https://mega-api-prod.nemovideo.ai — do not upload sensitive content you don't want sent to an external service. 2) The skill will use or create a NEMO_TOKEN; confirm where that token is stored and rotate it if you later stop using the skill. 3) Metadata inconsistencies: SKILL.md mentions a config path (~/.config/nemovideo/) and asks the agent to detect install paths — clarify whether the skill will read files outside its own bundle. 4) The anonymous token flow is convenient but means the skill can obtain credentials at runtime; ensure you trust the nemo domain. 5) If you want to proceed, test with non-sensitive sample videos first and monitor network requests/logs; ask the publisher for a privacy/security statement or an official homepage/source before giving it access to private media.

Review Dimensions

Purpose & Capability: noteName/description (cloud video editing) align with the API endpoints and upload/export actions described. However, SKILL.md metadata includes a required configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths — an internal inconsistency. The skill also asks the agent to detect install path to set X-Skill-Platform, which requires reading local paths (minor but out-of-band for a pure API-only helper).
Instruction Scope: noteRuntime instructions are explicit about creating sessions, uploading video files (multipart or URL), sending SSE messages, polling render jobs, and downloading results — all expected for this purpose. Ambiguities: the text refers to "the three attribution headers above" without clearly listing them; SKILL.md instructs reading the frontmatter (its own file) and detecting install paths (filesystem access). The flow also includes generating an anonymous token by POSTing to an external endpoint and treating the returned token as NEMO_TOKEN, which delegates credential creation to the skill logic.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer.
Credentials: noteOnly a single credential (NEMO_TOKEN) is declared and used, which is appropriate for an external video API. The skill also documents a flow to obtain an anonymous NEMO_TOKEN if one isn't present (POST to mega-api-prod.nemovideo.ai). That behavior is reasonable but raises questions about where the token is stored/retained and whether the agent will persist it. The metadata-configPaths inconsistency is also relevant: the skill claims a config dir (~/.config/nemovideo/) in metadata, but the registry entry claimed none.
Persistence & Privilege: okSkill does not request always:true and does not ask to modify other skills or system settings. Autonomous invocation is allowed (platform default) but not combined with high privileges here.