Back to skill
Skillv1.0.0
ClawScan security
Video Writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 12:41 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a cloud-based video-processing service (it asks for a single service token and instructs uploading videos to that service), with a minor metadata inconsistency and the expected privacy implications of sending user video to an external API.
- Guidance
- This skill appears to do what it says: it sends user video clips and requests rendering/script generation from a Nemovideo cloud API and needs a NEMO_TOKEN to authenticate. Before installing/using it: (1) Confirm you trust mega-api-prod.nemovideo.ai — your video files and any metadata you send will be uploaded to that external service. (2) If you don't already have a NEMO_TOKEN, the skill will generate an anonymous token (100 credits, 7-day expiry) by posting a UUID to the service — be aware this creates a server-side account tied to that identifier. (3) Ask the publisher to clarify the configPaths discrepancy in the SKILL.md frontmatter (~/.config/nemovideo/) vs the registry listing (none). (4) Do not use this skill with sensitive or private footage unless you have verified the provider's privacy/retention policy. If you want higher assurance, request a published homepage/privacy policy or vendor identity before providing tokens or private media.
Review Dimensions
- Purpose & Capability
- okThe skill is described as a cloud video/script generation tool and only requests a single service token (NEMO_TOKEN) and access to a Nemovideo config path in its frontmatter — both are coherent with calling a remote API that performs rendering and script generation. No unrelated credentials or binaries are requested.
- Instruction Scope
- noteThe SKILL.md directs the agent to obtain/use NEMO_TOKEN, create sessions, upload user video files (multipart uploads or by URL), stream SSE messages, and poll for render results at mega-api-prod.nemovideo.ai. This is expected for the described functionality, but it means user-supplied media and metadata will be sent to an external service; the instructions also tell the agent to generate a UUID for anonymous auth and to include attribution headers on every request. There are no instructions to read or exfiltrate unrelated local files or other environment variables.
- Install Mechanism
- okNo install spec or code is present (instruction-only). Nothing will be downloaded or written to disk by an installer step. This is lower risk and matches the listed metadata.
- Credentials
- noteThe skill requires only NEMO_TOKEN as the primary credential, which is proportional to a remote API client. However, the YAML frontmatter in SKILL.md includes a configPaths requirement (~/.config/nemovideo/), while the registry metadata at the top of the evaluation listed 'Required config paths: none' — this mismatch is inconsistent and should be clarified. The skill also instructs detecting the agent install path to set an X-Skill-Platform header, which requires reading path information (minor scope).
- Persistence & Privilege
- okalways:false and user-invocable:true. The skill does not request persistent platform privileges or to modify other skills' configurations. It is an instruction-only skill that relies on runtime API calls.