Skillv1.0.0

ClawScan security

Video To Mp3 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 6:42 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a cloud-based video→MP3 extractor, but there are small inconsistencies and file-system/credential behaviors you should understand before sending video files to an unknown backend.
Guidance: This skill will upload your video files to an external service (mega-api-prod.nemovideo.ai) and requires/provides a bearer token (NEMO_TOKEN). Before installing or invoking: 1) Verify you trust the remote domain/operator and find a privacy/retention policy — there's no homepage provided here. 2) Understand that the skill will read its own frontmatter and probe common install paths in your home directory to set an attribution header — if you don't want local path metadata exposed, don't install. 3) If you don't already have a NEMO_TOKEN, the skill will request an anonymous token from the backend automatically (100 free credits, 7-day expiry) — consider whether you want an unknown service to mint and manage tokens for you. 4) Avoid uploading sensitive or confidential video content until you confirm the service's storage/retention practices. 5) The registry metadata inconsistently omits the config path that SKILL.md references; ask the publisher for clarification (or a homepage) before use. If you are uncomfortable, do not install or use the skill and consider running a network/traffic inspection or using a sandbox to test its behavior first.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (upload a video, extract MP3 via a cloud backend) aligns with the single required credential (NEMO_TOKEN) and the API endpoints in SKILL.md. However, registry metadata lists no config paths while the SKILL.md frontmatter and runtime instructions reference a config path (~/.config/nemovideo/) and require reading the SKILL.md frontmatter — an inconsistency between declared registry requirements and the runtime instructions.
Instruction Scope: concernInstructions tell the agent to upload user video files (up to 500MB) to https://mega-api-prod.nemovideo.ai, create sessions, poll SSE endpoints, and include attribution headers. They also instruct the agent to read this skill's YAML frontmatter and detect install paths (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform. Those file-system reads are not declared in the registry and expand the scope beyond just 'send this file to an API.'
Install Mechanism: okNo install spec and no code files — instruction-only. This is the lowest install risk because nothing is written to disk by an installer.
Credentials: noteOnly one required environment variable is declared (NEMO_TOKEN), which is proportionate to a cloud service. However SKILL.md also describes obtaining an anonymous token by POSTing to an auth endpoint if NEMO_TOKEN is missing (it will mint a short-lived anonymous token). The registry declares NEMO_TOKEN as required but the instructions will generate one if absent — this mismatch should be noted. There are no other unrelated credentials requested.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and does not require persistent system-level privileges. It creates and uses ephemeral sessions on the backend, which is consistent with its purpose.