Skillv1.0.0

ClawScan security

Converter Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 6:03 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill behaves like an online video-conversion frontend and only asks for a single service token, but missing provenance (no homepage/owner info), a metadata inconsistency about config paths, and the fact it will upload your files to an external API mean you should verify the service before sending sensitive content or credentials.
Guidance: This skill is broadly coherent for an online video-conversion service, but take these precautions before installing or using it: (1) Verify the backend domain (mega-api-prod.nemovideo.ai) and the service's privacy policy — uploaded media will go to that external server. (2) There is no homepage or clear publisher information in the registry; prefer skills with verifiable provenance. (3) The SKILL.md mentions a local config path (~/.config/nemovideo/) even though the registry metadata did not — ask the author whether the skill will read local config files or tokens. (4) Only set NEMO_TOKEN if you trust the service; otherwise rely on the anonymous-token flow for non-sensitive content. (5) Avoid uploading sensitive or private videos until you confirm retention/delete policies and can revoke tokens. If you want higher assurance, request the skill author/publisher info and a review of network endpoints and data handling before use.

Review Dimensions

Purpose & Capability: noteThe name/description (video conversion) align with the instructions and the single required env var (NEMO_TOKEN). However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata provided earlier did not — this mismatch in declared config access is an inconsistency to clarify. Also there is no homepage or authoritative owner info, so provenance is weak.
Instruction Scope: noteInstructions are narrowly focused on creating a session, uploading files, streaming SSE results, and starting renders on the backend endpoints (mega-api-prod.nemovideo.ai). They explicitly tell the agent to upload user-supplied media and to generate anonymous tokens if NEMO_TOKEN is not present. The skill also instructs the agent to read attribution info (frontmatter and detect install path) which requires examining the agent environment — reasonable for attribution but worth noting.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That lowers install-time risk.
Credentials: noteOnly one credential is declared (NEMO_TOKEN), which is proportionate for a service-backed converter. However the SKILL.md includes an anonymous-token acquisition flow (network POST to the service) and the frontmatter mentions a config path (~/.config/nemovideo/) not reflected in the registry metadata — this could allow the skill to read stored local tokens/config if implemented, so confirm whether that path will actually be accessed.
Persistence & Privilege: okThe skill does not request always:true and does not claim to modify other skills or system-wide settings. It can run network calls and be invoked autonomously (platform default), which is expected for an API-backed converter.