Skillv1.0.0

ClawScan security

Ai Wedding Invitation Video Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 18, 2026, 7:29 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (uploading your photos and calling a third‑party rendering API) matches its description, but metadata inconsistencies, absence of a known source/homepage, and implicit access to local config paths raise caution.
Guidance: This skill will upload your photos/videos and metadata to mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (it can create an anonymous one for you). Before installing: (1) confirm you trust that external service and are comfortable with it storing your media; (2) ask the publisher for a privacy/retention policy and source code or homepage—none is provided here; (3) clarify whether the skill will read ~/.config/nemovideo/ or otherwise access local config (frontmatter and registry disagree); (4) avoid uploading sensitive personal data until you verify the service. If you need stronger assurance, choose a skill with a verifiable source and documentation or request the publisher to resolve the config-path and metadata inconsistencies.
Findings: [no-regex-findings] expected: The static scanner found no code to analyze (instruction-only SKILL.md). This is expected but means there is no machine-verifiable code to inspect; runtime behavior will depend on how the agent implements the described API calls.

Review Dimensions

Purpose & Capability: noteName/description align with the runtime instructions: the skill uploads media and uses a cloud render API. Requested credential (NEMO_TOKEN) is appropriate for an API client. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry listing reported no required config paths — an inconsistency. The skill also lacks a homepage or known source to verify the external service.
Instruction Scope: noteInstructions are focused on API interactions (anonymous-token, session, upload, SSE, export) and on uploading user media — which is expected for a video service. They also instruct the agent to read the skill's frontmatter and to detect an install path to populate X-Skill-Platform headers (reading local paths), which is limited but worth calling out. The skill will transmit user files and metadata to an external domain (mega-api-prod.nemovideo.ai); the doc does not explicitly require obtaining explicit user consent or explain retention/privacy of uploaded media.
Install Mechanism: okNo install spec and no code files — instruction-only. This is low-risk from an installation point of view because nothing is downloaded or written by an installer step.
Credentials: concernOnly a single credential (NEMO_TOKEN) is declared, which matches the API usage. However the frontmatter's configPaths suggests the skill may expect access to ~/.config/nemovideo/, which could contain additional credentials or settings; the registry-level metadata contradicted this. That mismatch should be resolved before trusting the skill with filesystem access or credentials.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable; it follows normal autonomous-invocation defaults. It instructs saving session_id and using a token for API calls (normal for a remote service). No instructions were found that modify other skills or system-wide configuration.