Skillv1.0.0

ClawScan security

Clip Maker Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 6:20 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly behaves like a cloud video-rendering integration, but there are mismatches between what it declares and what its instructions do (and provenance is missing), so proceed with caution.
Guidance: This skill appears to be a cloud-based video-cutting integration that uploads your videos to https://mega-api-prod.nemovideo.ai for processing. That behavior is expected for the feature but has privacy implications — any video you send will leave your machine. The manifest and instructions are inconsistent: the skill claims NEMO_TOKEN is required and lists a config path (~/.config/nemovideo/), yet the runtime docs describe generating an anonymous token if NEMO_TOKEN is missing. Before installing or using it: (1) confirm you trust the external domain/service and review its privacy/terms, (2) avoid uploading sensitive or confidential videos, (3) ask the publisher why the config path is required and how/where tokens/session IDs are stored, and (4) prefer providing a known service token from a trusted account if possible. The skill's source and homepage are unknown — that lowers provenance and is another reason to be cautious. If you need higher assurance, test in a sandboxed environment or request author/source verification first.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (upload a long video and get short social clips) matches the runtime instructions (upload endpoints, render/export flow). However the manifest declares a required NEMO_TOKEN and a config path (~/.config/nemovideo/) while the instructions explicitly provide an anonymous-token fallback flow — that is inconsistent. Requesting access to a config path is not justified or explained in the SKILL.md.
Instruction Scope: concernInstructions direct the agent to obtain or use NEMO_TOKEN, create sessions, upload user video files (multipart or URL), initiate render jobs, poll for completion, and download results from an external domain (mega-api-prod.nemovideo.ai). Uploading user-provided files to an external service is required for the feature but is a privacy/exfiltration vector the user should be aware of. The skill also requires populating attribution headers and 'auto-detect' install path for X-Skill-Platform (implies reading environment/install path), but no concrete safe method is given. The SKILL.md does not explain why the declared config path is needed or what is stored there.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer. That lowers installation risk.
Credentials: concernOnly NEMO_TOKEN is declared as required, which is proportionate for a cloud API. But the manifest also declares a config path (~/.config/nemovideo/) which is not referenced or justified by the instructions. Additionally, the SKILL.md both expects an external token and documents an anonymous-token acquisition flow — declaring NEMO_TOKEN as required is therefore misleading. No other credentials are requested.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable; it can be invoked autonomously per platform defaults (normal). It does not declare install-time persistence or modifications to other skills.