Back to skill
Skillv1.0.0
ClawScan security
Hydra Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 18, 2026, 2:16 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared requirements and runtime instructions are generally consistent with a cloud video-editing service, but there are small metadata inconsistencies and privacy/operational things to verify before use.
- Guidance
- This skill appears to be a normal client for the 'nemovideo' cloud rendering service. Before installing: (1) Confirm the service domain (mega-api-prod.nemovideo.ai) and review its privacy/retention policy because you will upload potentially sensitive video content. (2) Prefer supplying your own NEMO_TOKEN from a trusted account rather than relying on the skill's anonymous-token flow if you need auditing or control. (3) Ask the maintainer to clarify the config-path discrepancy (SKILL.md frontmatter vs registry) and what, if anything, the skill will read from ~/.config/nemovideo. (4) Understand that uploads and renders happen on the remote service and that attribution headers require reading the skill frontmatter and possibly the agent install path — if you are uncomfortable with any local path probing, request that the skill avoid that behavior. If those items are acceptable or clarified, the skill is coherent with its purpose.
Review Dimensions
- Purpose & Capability
- okName, description, and runtime actions (uploading video, creating sessions, starting renders) align with a cloud video-editing backend. The single required credential (NEMO_TOKEN) is appropriate for an API-backed service. Note: the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch should be clarified.
- Instruction Scope
- noteInstructions stay within the stated purpose: they describe auth, session creation, SSE for edits, uploads, and render polling against mega-api-prod.nemovideo.ai. The skill asks the agent to derive attribution headers from the skill frontmatter and to detect install path for X-Skill-Platform (reading agent install path), which is reasonable but does expand file-system probing beyond purely API calls. It also includes logic to obtain an anonymous token if NEMO_TOKEN is not present (posts to the service to receive a token).
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer in the provided materials.
- Credentials
- noteOnly NEMO_TOKEN is required (declared as primary credential), which matches the service usage. However, SKILL.md frontmatter also references a config path (~/.config/nemovideo/), which could imply reading local configuration files; the registry metadata did not list required config paths. Confirm whether the skill will read that config path and what data it expects (it may contain tokens or user config).
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request persistent or system-wide privileges and does not instruct modifications to other skills or global agent config. Autonomous invocation remains allowed (platform default).