Skillv1.0.0

ClawScan security

Maker Bak · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 17, 2026, 11:54 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video remake) matches most of its actions, but there are inconsistencies about what it will read from your machine and about declared config paths — and it will upload your video and obtain/use bearer tokens from an external service, so review carefully before use.
Guidance: This skill appears to do what it says (upload your video to a cloud backend for AI remakes) but you should: (1) understand that your video files will be uploaded to https://mega-api-prod.nemovideo.ai and processed there — don’t send sensitive footage unless you trust that service and its privacy policy; (2) provide a trusted NEMO_TOKEN if you have one, or be aware the skill will obtain an anonymous token for you by calling the external auth endpoint; (3) ask the publisher to clarify the mismatch between registry metadata (no configPaths) and the SKILL.md frontmatter (which references ~/.config/nemovideo/) and why the skill needs to probe install paths to set X-Skill-Platform; (4) if you need higher assurance, request the skill's source or a vetted publisher before installing or using it. If you’re unsure about the external service, do not upload sensitive videos.

Review Dimensions

Purpose & Capability: noteThe name/description (video remake/export) align with the runtime instructions: the SKILL.md describes uploading video, creating sessions, SSE-based edits, and exporting MP4s from a cloud backend. Requesting a single service token (NEMO_TOKEN) is proportional to the stated purpose.
Instruction Scope: concernThe SKILL.md instructs the agent to check environment for NEMO_TOKEN, call external API endpoints (auth, upload, render, state), upload user files, and stream SSE responses — these are expected for a cloud video service. However the instructions also say to detect the agent install path to set X-Skill-Platform (by checking paths like ~/.clawhub/ or ~/.cursor/skills/) and the YAML frontmatter includes a configPath (~/.config/nemovideo/) that is not reflected in the registry metadata. That implies the skill may read filesystem paths beyond what the registry declared. The skill will also generate anonymous tokens if no NEMO_TOKEN exists and store/use session IDs for operations (but does not specify persistent storage location).
Install Mechanism: okNo install spec and no code files — instruction-only skill. This minimizes disk-write risk: nothing is downloaded or executed locally by an installer.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared as required, which fits the cloud API usage. The SKILL.md additionally instructs fetching an anonymous token from the external API if NEMO_TOKEN is absent. This behaviour is plausible but means the agent will reach out to the remote endpoint and accept a token returned there, so credentials may be created/used automatically if you don't provide your own token.
Persistence & Privilege: okalways is false and the skill is not force-enabled. It does ask to keep session_id in-memory for operations but does not request system-wide or other-skills' config changes. Autonomous invocation is permitted (default) — not flagged by itself.