Skillv1.0.0

ClawScan security

Video Making Free Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 20, 2026, 2:06 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are broadly consistent with its stated purpose (cloud video rendering) with a few small mismatches in metadata and a couple of behavior details you should review before installing.
Guidance: This skill appears to do what it says (upload media to a cloud rendering API and return MP4s), but review these points before installing: 1) Trust & domain: media and any uploaded content will be sent to https://mega-api-prod.nemovideo.ai — confirm you trust this service and its privacy/retention policies before uploading sensitive media. 2) Token handling: the skill uses NEMO_TOKEN or will auto-request an anonymous token; if you supply a token, ensure it is scoped/rotatable and not reused for other services. 3) Metadata mismatch: the SKILL.md frontmatter references a config path (~/.config/nemovideo/) and install-path detection — confirm whether the agent will actually read those paths (you may prefer it not to). 4) No code available / unknown source: this is instruction-only with no homepage or repository listed; if you need stronger assurances, ask the publisher for a public code repo, privacy policy, or company identity. 5) Operational limits: check file-size limits, credit usage, and whether exports incur charges; revoke tokens if you stop using the skill. If you want higher assurance, request the skill's source or a vendor website and inspect network destinations and token scope.

Review Dimensions

Purpose & Capability: okName/description (create videos from clips/images) matches what the SKILL.md instructs: uploading media, creating a session, queuing render jobs, and returning download URLs from a remote video-rendering API. Required credential (NEMO_TOKEN) and network calls to a nemo-video API are appropriate for a cloud rendering service.
Instruction Scope: noteInstructions are narrowly scoped to the video rendering workflow (session creation, SSE chat, upload, export, polling). They require reading NEMO_TOKEN from the environment or obtaining an anonymous token. The SKILL.md also references deriving headers from an install path (~/.clawhub/, ~/.cursor/skills/) and lists a config path (~/.config/nemovideo/) in its YAML frontmatter — this implies the agent might check the agent install path or config dir, which is out-of-band relative to pure upload/rendering and should be confirmed. Otherwise no instructions ask the agent to read unrelated user files or additional secrets.
Install Mechanism: okThis is instruction-only with no install spec and no code files, so nothing is downloaded or written during install. That is the lowest-risk model for a skill of this type.
Credentials: noteOnly one credential is declared (NEMO_TOKEN) which is appropriate for a third-party API. The SKILL.md, however, documents a fallback to obtain an anonymous token by POSTing to the vendor API if no NEMO_TOKEN is present; this makes the declared required-env semantics slightly inconsistent but not inherently dangerous. No other unrelated secrets or environment variables are requested.
Persistence & Privilege: okalways is false and the skill does not request permanent presence or modification of other skills. It does not require elevated privileges or persistent system-wide changes.