Skillv1.0.0

ClawScan security

Video Download Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 12:11 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared credential (NEMO_TOKEN), API endpoints, and runtime instructions are coherent with a cloud-based video-download service, but it makes network calls to an external backend and contains a small metadata inconsistency so exercise caution before installing.
Guidance: This skill talks to an external backend (mega-api-prod.nemovideo.ai) and will upload user media and/or use an environment token (NEMO_TOKEN). Before installing: 1) Confirm you trust the nemovideo.ai service and review its privacy/terms — uploaded videos will be sent to that service. 2) If you don't want persistent credentials used, prefer creating a short-lived anonymous token as described or use an account token dedicated only to this skill. 3) Verify whether the platform will create or read ~/.config/nemovideo/ (the SKILL.md metadata mentions it despite registry saying no config paths). 4) Avoid supplying any credentials that are shared across other services (AWS, GitHub, etc.). If you need higher assurance, ask the publisher for a homepage or source repo and a privacy/data-retention statement before use.

Review Dimensions

Purpose & Capability: okThe skill claims to download and render videos and all required pieces in SKILL.md (NEMO_TOKEN, session creation, upload/render/export endpoints) align with that purpose. The use of a single service-specific token and the specified nemovideo.ai API is expected for this functionality. Note: the registry summary above lists no required config paths, while the SKILL.md frontmatter metadata includes a configPaths entry (~/.config/nemovideo/). This is a minor inconsistency (storage of session or tokens is plausible) but worth noting.
Instruction Scope: okThe runtime instructions focus on establishing a session, uploading media, driving edits via SSE, polling export status, and returning download URLs — all within the service domain. The skill instructs the agent to call an anonymous-token endpoint if no NEMO_TOKEN is present (this will cause outbound network requests). It does not instruct reading unrelated local files or environment variables aside from the declared token. The instructions do expect uploads of user media (up to 500MB), which is appropriate for the stated purpose but has privacy implications.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk or downloaded by an installer. That lowers installation risk.
Credentials: noteOnly a single service credential (NEMO_TOKEN) is declared as required and used in the workflow — this is proportional to a cloud video service. The SKILL.md also references a config path in its metadata (~/ .config/nemovideo/) which could imply storing session data; the registry-level requirements listed earlier said 'none' for config paths, so confirm whether the agent/platform will expose or persist files at that path.
Persistence & Privilege: okalways is false and the skill does not request elevated or global agent privileges. It does require network access to an external API, which is normal for a cloud-based service. There is no indication it modifies other skills or system-wide settings.