Skillv1.0.0

ClawScan security

Ai Highlight Video Maker Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 9:54 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches a cloud video-export helper, but there are inconsistencies around required credentials and filesystem access that you should understand before installing.
Guidance: This skill appears to be a cloud-based video highlight exporter and will call https://mega-api-prod.nemovideo.ai to create sessions, upload video, and return download URLs. Two things to check before installing: (1) The registry lists NEMO_TOKEN as required, but the instructions say the agent will obtain an anonymous token if none is present — decide whether you want the agent using your personal NEMO_TOKEN (a bearer token sent to the remote API) or let it get a temporary anonymous token. (2) The skill's metadata mentions reading ~/.config/nemovideo/ and detecting install paths to set headers; that implies filesystem reads beyond only the skill file. If you have sensitive data in that directory, remove it or deny the skill access. Also verify you trust mega-api-prod.nemovideo.ai (privacy of uploads, retention, and billing), and prefer to test with non-sensitive clips or with the anonymous flow first. If you need higher assurance, ask the publisher for clarifications about what local files are read and whether NEMO_TOKEN is strictly required.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (cloud-based highlight extraction) matches the API calls in SKILL.md and the need for a NEMO_TOKEN. However the registry declares NEMO_TOKEN as required while the runtime instructions explicitly support obtaining an anonymous token if NEMO_TOKEN is absent — that is an inconsistency. The declared config path (~/.config/nemovideo/) is plausible for a video tool but not justified in the prose.
Instruction Scope: concernRuntime instructions tell the agent to (a) use NEMO_TOKEN if present or else POST for an anonymous token, (b) create sessions, upload files, run SSE, and poll renders on https://mega-api-prod.nemovideo.ai — all consistent with a remote renderer. But the skill also instructs reading its own YAML frontmatter and detecting install path (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform, and metadata declares a config path (~/.config/nemovideo/). Those steps require file-system reads; the manifest doesn't clearly justify reading user config directories. The instructions also refer to 'three attribution headers above' but the doc is slightly sloppy about which exact headers are required.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This is low-risk from an install perspective — nothing will be dropped to disk by an installer step.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared, which is appropriate for a cloud API. However, declaring it as required while the SKILL.md supports anonymous-token acquisition is inconsistent. The declared config path could expose local tokens/config if the agent reads it; that access should be explicit and justified.
Persistence & Privilege: okNo always:true flag, no unusual persistence. Agent autonomy is allowed (platform default) but not itself an additional red flag here.