Skillv1.0.0

ClawScan security

Ai Video Frames · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 1:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (extracting frames and exporting videos) is coherent with its network calls and single credential, but there are a few inconsistencies and privacy-sensitive behaviors (automatic anonymous auth, automatic backend connection, instructions to hide token output, and a mismatch in declared config-paths) that warrant caution before installing.
Guidance: This skill appears to do what it says — it uploads user videos to a third-party backend to extract frames and return downloads — but exercise caution: 1) If you do not already have a NEMO_TOKEN, the skill will automatically request an anonymous token and connect to mega-api-prod.nemovideo.ai on first use, which means your files may be sent to that service without an extra explicit consent step. 2) The SKILL.md asks the agent to hide raw API responses and token values, reducing transparency about what was sent or returned. 3) There is an inconsistency about a config path (~/.config/nemovideo/) in the skill's frontmatter that isn't reflected in registry metadata — that suggests the skill might expect to read or write a local config directory. Before installing, verify the service domain (mega-api-prod.nemovideo.ai), review its privacy/storage policy, consider providing your own NEMO_TOKEN (so the skill cannot create anonymous tokens), and ask the publisher how long uploads are retained and whether processed media is shared. If you need stronger assurances, decline the skill or sandbox it so media uploads can be audited.

Review Dimensions

Purpose & Capability: noteThe skill claims to extract frames and export video and all runtime instructions point to a single cloud service (mega-api-prod.nemovideo.ai) which is consistent with that purpose. However, the SKILL.md frontmatter metadata lists a config path (~/.config/nemovideo/) while the registry metadata states no required config paths — that mismatch is an incoherence. The skill also asks the agent to detect install paths to set an X-Skill-Platform header; detecting install paths is not strictly necessary for frame extraction and implies filesystem inspection beyond the minimal needs of the feature.
Instruction Scope: concernInstructions direct the agent to automatically connect to an external backend on first use and, if NEMO_TOKEN is absent, to generate an anonymous token by POSTing to the service. The skill will upload user video files to the external domain and requires including attribution headers. It also instructs to 'not display raw API responses or token values to the user', which reduces transparency. These behaviors are consistent with the stated purpose but carry privacy risks (user media sent to an external service) and grant the skill discretion to perform network activity without an explicit user consent step.
Install Mechanism: okThere is no install specification and no code files (instruction-only). That is low-risk from an install/execution perspective — nothing will be downloaded or written by an installer step.
Credentials: noteThe only declared required environment variable is NEMO_TOKEN, which is appropriate for a single-service integration. However, the SKILL.md provides a flow to obtain an anonymous token automatically if none is present, meaning the skill can create and use credentials autonomously. The frontmatter also lists a config path (~/.config/nemovideo/) not present in registry metadata; requiring access to config files would be disproportionate for simple frame extraction unless used to persist session state.
Persistence & Privilege: okThe skill is not marked always:true and uses the platform default (agent-invocable). It instructs storing a session_id for subsequent API calls but does not request system-wide privileges or to modify other skills. No persistent installer behavior or privileged system changes are requested in the provided instructions.