Skillv1.0.0

ClawScan security

Video Maker Renderforest · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 6:12 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud video-rendering service: it asks for a single service token, describes the API calls it will make, and has no installable code — nothing appears disproportionate to the stated purpose.
Guidance: This skill appears to do what it claims: it calls a remote NemoVideo API to create sessions, upload user media, and return render URLs. Before installing or using it: (1) Confirm you trust the nemo video backend (https://mega-api-prod.nemovideo.ai) because all uploaded media and generated content will be sent to that service. (2) Only provide NEMO_TOKEN if it is specifically issued for this service; avoid supplying tokens or secrets for unrelated services. (3) When uploading files, ensure the agent/platform only uploads files you explicitly provide; do not let the skill attempt to read arbitrary filesystem paths. (4) Note the small metadata inconsistency (config path listed in SKILL.md but not in registry) — harmless but worth verifying with the skill author if you need strict provenance. If you need higher assurance, ask the publisher for a homepage or source repo and for details about data retention and privacy of uploaded media.

Review Dimensions

Purpose & Capability: noteThe skill is described as a cloud video rendering helper and requires only a single service token (NEMO_TOKEN), which is consistent. Minor mismatch: the SKILL.md frontmatter metadata includes a config path (~/.config/nemovideo/) but the registry metadata lists no required config paths; this is likely a bookkeeping inconsistency rather than malicious.
Instruction Scope: noteInstructions are narrowly focused on creating sessions, uploading media, running SSE-based generation, polling renders, and checking credits — all within the rendering backend. Two things to note: (1) upload instructions reference multipart file uploads by local file path (e.g., -F "files=@/path"), which implies the agent will need access to user-provided files or paths; ensure the agent/platform only supplies user-intended files and does not attempt to read arbitrary system files. (2) The runtime asks the agent to derive an X-Skill-Platform value by detecting install paths — this requires inspecting the agent environment/install location, which is benign for telemetry but worth awareness.
Install Mechanism: okNo install spec or code is included; the skill is instruction-only. That minimizes on-disk risk — the skill relies on outbound HTTP calls to the described backend.
Credentials: noteThe only declared required credential is NEMO_TOKEN (primaryEnv), which matches a cloud rendering service. The SKILL.md also documents generating an anonymous token if NEMO_TOKEN is absent (by calling the service's anonymous-token endpoint) — expected for anonymous usage. There are no unrelated secrets requested. The earlier noted metadata mention of a config path (~/.config/nemovideo/) is not reflected in the registry requirements — a small inconsistency to be aware of.
Persistence & Privilege: okThe skill does not request always:true and has no install-time persistence. It does instruct keeping session_id for the running session, which is normal session behavior and not a platform-level privilege escalation.