Skillv1.0.0

ClawScan security

Ai Add Music To · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 11, 2026, 8:19 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill’s declared purpose (adding music to videos) matches the runtime instructions and required NEMO_TOKEN, but there are metadata inconsistencies and an unexplained request for a config path that warrant caution before installing.
Guidance: This skill appears to do what it claims (upload videos to a cloud API, add music, return exports) and only needs a NEMO_TOKEN, but two things to check before installing: (1) Ask the author whether the skill will read or write ~/.config/nemovideo/ (where tokens or other user data might be stored) — the frontmatter lists that path but the registry metadata does not. (2) Confirm the backend domain (mega-api-prod.nemovideo.ai) and the service's privacy/retention policy for uploaded videos (will your videos be stored, reviewed, or used to train models?). Also: avoid reusing high-privilege secrets in NEMO_TOKEN, prefer ephemeral/anonymous tokens for testing, and verify whether exports or billing/credit operations could incur charges before sending sensitive content.

Review Dimensions

Purpose & Capability: noteName/description, endpoints, and required NEMO_TOKEN align with a cloud video-processing/music-addition service. However the SKILL.md frontmatter includes a configPaths value (~/.config/nemovideo/) which is not listed in the registry's top-level requirements — this mismatch is unexplained and could indicate the skill expects local config access or to persist tokens locally.
Instruction Scope: noteSKILL.md instructs the agent to create/refresh a bearer token, create sessions, upload user video files, stream SSE responses, and poll render status — all expected for a cloud render service. No instructions request unrelated system files or unrelated credentials, but the frontmatter/configPaths hint (and the requirement to auto-detect an install path for X-Skill-Platform) expands scope slightly and should be clarified.
Install Mechanism: okInstruction-only skill with no install spec or code files; nothing is written to disk by an installer, so installation risk is low. The runtime will perform network calls to the documented API endpoints.
Credentials: concernOnly NEMO_TOKEN is required, which is appropriate. The concern is the frontmatter's configPaths entry (~/.config/nemovideo/) that suggests access to local config/storage (potentially containing tokens). The registry-level requirements omitted this path, creating an inconsistency that could lead to unexpected local reads/writes.
Persistence & Privilege: okalways:false and normal autonomous invocation are used. The skill will store session_id and tokens as part of its flow (expected for a session-based API) but does not request system-wide privileges or other skills' configs.