Skillv1.0.0

ClawScan security

Language Editor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 23, 2026, 3:30 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested credential and API calls line up with a cloud-based video translate-and-dub service; no install or unrelated secrets are requested, but there are minor metadata inconsistencies and expected privacy trade-offs (uploads to a third-party API).
Guidance: This skill appears to do what it says: it will upload any video you provide to a third-party API (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN (or will obtain a short-lived anonymous token). Before installing or using it, consider: 1) only upload non-sensitive videos (privacy risk — your media is sent to their servers); 2) confirm you trust the nemovideo.ai service and its data retention/privacy policies; 3) verify how/where the NEMO_TOKEN will be stored in your environment if you supply one (don’t reuse high-privilege tokens); 4) note the small metadata inconsistency (~/.config/nemovideo/ listed in SKILL.md frontmatter) — ask the author whether the skill will read/write that path; and 5) test with a short non-confidential clip first. If you want higher assurance, ask the publisher for their homepage/source and a privacy/security statement before use.

Purpose & Capability: okName/description (translate & dub videos) match the runtime instructions: the SKILL.md describes uploading video files and calling nemovideo.ai endpoints. Requiring a NEMO_TOKEN (and providing an anonymous-token fallback) is consistent with this purpose.
Instruction Scope: noteInstructions focus on session creation, file upload, SSE streaming, and exports to the nemovideo.ai API — all expected. It also instructs constructing attribution headers (including detecting install path) and mentions a configPath (~/.config/nemovideo/) in the frontmatter; the skill does not explicitly say to read that path, so there is a small mismatch between metadata and runtime guidance.
Install Mechanism: okNo install spec and no code files — instruction-only. This is the lowest-risk install profile (nothing written to disk by the skill itself).
Credentials: noteOnly one credential is requested (NEMO_TOKEN), which aligns with the described API usage. The skill also allows creating an anonymous token by POSTing a generated UUID. The frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata shows no required config paths; this discrepancy is worth noting but not necessarily malicious.
Persistence & Privilege: okalways is false and the skill does not request elevated/system-wide persistence. Agent autonomous invocation remains enabled (platform default) but that is not a red flag by itself.