Skillv1.0.0

ClawScan security

Add Music To Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 9:36 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with its stated purpose (adding music to silent AI videos) and do not request unrelated credentials or risky installs, but there are minor inconsistencies in metadata and a couple of implementation details you should be aware of before installing.
Guidance: This instruction-only skill appears to be what it says: it calls nemovideo.ai endpoints to add music and export videos and needs a NEMO_TOKEN to authenticate. Before installing, confirm you trust the domain (mega-api-prod.nemovideo.ai) because your uploaded videos and any generated tokens/session IDs will be sent there. Note the small metadata mismatch: SKILL.md references a config path (~/.config/nemovideo/) and auto-detecting an install path for X-Skill-Platform — ask the publisher what local reads (if any) the skill will perform. If you prefer not to provide a long-lived token, let the skill generate an anonymous token for temporary use as described. Finally, remember the skill will upload your video files to a third-party service — don't send sensitive footage unless you accept that external processing and storage policy.

Review Dimensions

Purpose & Capability: okThe skill is an instruction-only connector to a remote video-processing API and only requests a service token (NEMO_TOKEN) needed to authenticate with that API. Required headers, upload endpoints, and supported formats align with the video-processing purpose.
Instruction Scope: noteInstructions are focused on API actions (create session, upload file, run SSE, poll render). The skill expects to upload user-provided video files and to store session_id and short-lived tokens. Nothing in the instructions asks the agent to read unrelated local files or other environment secrets. Note: the frontmatter asks for a config path (~/.config/nemovideo/) and the skill expects to auto-detect an install path for X-Skill-Platform — these behaviors could require access to local paths/metadata and are not fully explained.
Install Mechanism: okNo install steps or binary downloads are present (instruction-only). This is low-risk: the skill does not write archives or install third-party code on disk.
Credentials: noteThe only declared credential is NEMO_TOKEN, which is appropriate for a remote API service. However, SKILL.md frontmatter references a config path (~/.config/nemovideo/) not listed in the registry metadata; that discrepancy should be resolved. Otherwise no unrelated secrets or credentials are requested.
Persistence & Privilege: okalways is false and model invocation is allowed (platform default). The skill instructs saving session tokens and session_id for operation, which is reasonable for a remote render workflow. It does not request persistent system-wide privileges or modifications to other skills.