Back to skill
Skillv1.0.0
ClawScan security
To Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 11, 2026, 8:54 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are coherent with a cloud video-processing helper: it needs a single service token (NEMO_TOKEN), uploads user media to a remote API, and has no install script — but there are small metadata/instruction inconsistencies you should be aware of.
- Guidance
- This skill uploads whatever media you provide to a third-party backend (mega-api-prod.nemovideo.ai) and acts using a bearer token (NEMO_TOKEN) or an anonymous token it fetches for you. Before installing or using it: (1) confirm you are comfortable with your videos being sent to that domain and review its privacy/terms; (2) only supply a NEMO_TOKEN with the minimal privileges you accept (avoid reusing long-lived high-privilege tokens); (3) note a small inconsistency in the SKILL.md metadata (it references a config path in frontmatter and also instructs detecting install paths) — this looks like an implementation detail, not malicious, but you may want to verify that the skill only reads its own metadata and does not access unrelated local files or credentials. If you need higher assurance, request the skill author or registry to provide an official homepage, ACL/terms for the service, or the exact scope of NEMO_TOKEN.
Review Dimensions
- Purpose & Capability
- okThe skill's name and description (convert raw footage to edited MP4s) align with the requests in SKILL.md: it calls a remote video-rendering API, uploads files, creates render jobs, polls for completion, and returns download URLs. Requesting a single service token (NEMO_TOKEN) is appropriate for this purpose.
- Instruction Scope
- noteInstructions confine activity to interacting with the remote API (session creation, SSE conversation, uploads, exports). The skill will upload user-supplied media and stream server-sent events. It also instructs the agent to read this file's YAML frontmatter for attribution and to inspect install paths to set an X-Skill-Platform header — reading its own metadata and detecting its install location is plausible but slightly broader than strictly necessary for core function.
- Install Mechanism
- okNo install spec or code files — instruction-only. This is low-risk: nothing will be written to disk by an installer as part of skill setup.
- Credentials
- noteOnly NEMO_TOKEN is declared as required, which fits a cloud API client. The instructions also describe obtaining an anonymous token if NEMO_TOKEN is absent. You should treat NEMO_TOKEN as a full bearer token for the external service — granting it allows the skill to act on that account and access uploaded media and billing/credits.
- Persistence & Privilege
- okThe skill does not request always:true and does not attempt to modify other skills or system-wide settings. It runs when invoked and uses transient network sessions; no elevated or persistent platform privileges are requested.