Skillv1.0.0

ClawScan security

Add Music To Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 7:52 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (adding background music to videos via a remote rendering API) aligns with the environment variable and runtime instructions; small inconsistencies in metadata/config-path declaration and the fact that it uploads user videos to an external service are worth noting before use.
Guidance: This skill appears to do what it says: it uploads your video to a remote nemovideo rendering service and returns a rendered MP4. Before installing/use: (1) Verify you trust the endpoint (https://mega-api-prod.nemovideo.ai) and understand that your video files will be uploaded off your device. (2) Check what the NEMO_TOKEN grants (scope, revocation, retention policy); anonymous tokens are created and last 7 days per the instructions. (3) Note the SKILL.md mentions reading a local config path (~/.config/nemovideo/) and auto-detecting an install path — confirm whether the agent will access those local locations and that you are comfortable with that. (4) Don’t provide unrelated secrets or credentials to this skill. If you need higher assurance, ask the skill author for a privacy/data-retention policy or run uploads on non-sensitive test videos first.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: the skill uploads video files, creates a session, sends SSE messages, and requests renders from a remote nemovideo API. The required primary credential (NEMO_TOKEN) is appropriate for this advertised cloud service.
Instruction Scope: noteInstructions stay within the service's domain (auth, session creation, upload, SSE, render polling). They direct the agent to upload user videos and to use an anonymous-token endpoint if no NEMO_TOKEN is present. One implementation detail to note: the frontmatter requests a config path (~/.config/nemovideo/) and asks to auto-detect an install path for X-Skill-Platform — this implies the agent may read local install/config locations, but the rest of the instructions do not require broad system reads. The SKILL.md also instructs keeping technical details out of chat (presentation guidance) which is fine.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest install risk.
Credentials: noteOnly a single credential (NEMO_TOKEN) is requested which fits the described remote API usage. Minor inconsistency: the top-level registry metadata indicated no required config paths, but SKILL.md frontmatter lists '~/.config/nemovideo/' as a configPath requirement. If the agent will read that path to discover tokens, users should be aware of that local access.
Persistence & Privilege: okalways:false and no install hooks claimed. The skill can be invoked autonomously (platform default), but it does not request permanent platform-wide privileges or attempt to modify other skills.