Skillv1.0.0

ClawScan security

Editor Ai En Espanol · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 10, 2026, 11:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly match a cloud video-editing purpose, but there are small inconsistencies (declared required env/config vs runtime behavior) and it will upload user video files to an external API—verify these before installing.
Guidance: This skill will upload any video files you provide to an external service (mega-api-prod.nemovideo.ai) for cloud processing — confirm you are comfortable with that. Note these points before installing: (1) The registry metadata and the SKILL.md disagree about config paths and the token requirement: the skill lists NEMO_TOKEN as required but also documents an anonymous-token flow that can create a token automatically. Ask the author which behavior is intended. (2) The SKILL.md references reading install/config paths (~/.config/nemovideo/ and detecting install path) — if you have sensitive config files in those locations, verify whether the skill will actually access them. (3) There is no shipped code to audit (instruction-only), so trust is placed in the remote API; review the service hostname and privacy terms before sending private or sensitive video content. If you need higher assurance, request a version with explicit, minimal permission requirements or host processing on a service you control.

Review Dimensions

Purpose & Capability: noteName/description claim cloud-based Spanish video editing and the runtime instructions call a Nemovideo backend for uploads, session management, SSE, and exports — this is coherent. However the registry metadata said no config paths while the SKILL.md frontmatter references a config path (~/.config/nemovideo/) and lists NEMO_TOKEN as required; that mismatch is unexplained.
Instruction Scope: noteInstructions stay within editing/export workflows (session creation, uploads, SSE streaming, polling render status). They explicitly instruct sending user media to https://mega-api-prod.nemovideo.ai and creating/retrieving a NEMO_TOKEN if absent. A minor scope creep: the skill instructs deriving X-Skill-Platform from local install paths (reading install path patterns), which implies filesystem inspection that isn't necessary for core functionality.
Install Mechanism: okThis is an instruction-only skill with no install spec or shipped code files, so nothing will be downloaded or written to disk by an installation step.
Credentials: noteThe skill declares a single primary credential (NEMO_TOKEN), which is appropriate for a cloud API. But the SKILL.md also documents an anonymous-token flow that obtains a token if NEMO_TOKEN is missing — making the 'required env var' claim ambiguous. No other unrelated secrets are requested.
Persistence & Privilege: okalways:false and no claims of modifying other skills or system-wide configs. Session IDs are retained per the normal workflow; no elevated or persistent system privileges are requested.