Skillv1.0.0

ClawScan security

Ai Video Editor Background Changer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 6:03 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's required assets and runtime instructions are consistent with a cloud-based video background replacement service; it asks for one service token and uploads user media to a third‑party API as expected.
Guidance: This skill sends your uploaded video files to mega-api-prod.nemovideo.ai for cloud processing and uses a NEMO_TOKEN (or will request an anonymous token automatically). That behavior is expected for this functionality but does mean your media is transmitted to a third party — do not upload sensitive footage unless you trust the provider. Note the small metadata mismatch: SKILL.md lists a config path (~/.config/nemovideo/) while the registry summary did not; confirm whether the skill will read or write that path if you care about local files. If you want to limit exposure, create a short‑lived or restricted token for testing, review the provider's privacy/TOS, and avoid storing permanent credentials in shared environments.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform cloud video background replacement and its instructions only request a single service credential (NEMO_TOKEN) and call endpoints on mega-api-prod.nemovideo.ai — this is coherent. Minor inconsistency: the registry metadata at the top listed no required config paths, but the SKILL.md frontmatter declares requires.configPaths ["~/.config/nemovideo/"]. That path is plausible for this service but the mismatch should be resolved.
Instruction Scope: okSKILL.md explicitly describes the API calls (anonymous token acquisition, session creation, file upload, SSE message handling, export polling). All actions are within the stated purpose (upload video, request processing, receive download URL). It does instruct the agent to upload user-provided files (multipart or URL) and to include authorization and attribution headers — sending user media to the service is expected behavior. The instructions do not direct reading arbitrary unrelated local files or unrelated environment variables.
Install Mechanism: okNo install spec or code files are present; the skill is instruction-only. This is the lowest-risk install mechanism because it does not write or execute additional code on disk.
Credentials: noteOnly one credential is required: NEMO_TOKEN (declared as primaryEnv). The SKILL.md also contains logic to obtain an anonymous token if NEMO_TOKEN is not present, which is consistent but means the skill may contact the provider to mint a short-lived token on first use. The frontmatter's configPaths entry (~/.config/nemovideo/) is consistent with the service but conflicts with the registry summary that listed no required config paths — this discrepancy should be clarified. No unrelated secrets or additional credentials are requested.
Persistence & Privilege: okThe skill does not request always:true, has no install behavior, and does not modify other skills or system-wide settings. It runs via API calls and SSE; autonomous invocation is allowed (platform default) but is not elevated here.