Skillv1.0.0

ClawScan security

Ai Photo Video Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 10, 2026, 9:10 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior is coherent with its stated purpose (uploading images and invoking a cloud video-rendering API using a NEMO_TOKEN), but there are minor metadata inconsistencies you should be aware of before installing.
Guidance: This skill will upload your images and audio to an external rendering service (https://mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN for authorization. If you don't provide one, it will create an anonymous token for you (100 free credits, 7‑day expiry). Before installing: (1) confirm you're comfortable uploading the images and any metadata to that external domain, (2) verify the service/privacy terms if you plan to use sensitive photos, (3) be aware the skill may read your install path or ~/.config/nemovideo/ if present (the SKILL.md and registry metadata disagree about config path requirements), and (4) if you later want to revoke access, remove or rotate the NEMO_TOKEN. The skill appears coherent with its stated purpose, but double-check the endpoint/domain and privacy model before use.

Review Dimensions

Purpose & Capability: noteName/description match the runtime instructions: the SKILL.md describes calling a nemo video backend (https://mega-api-prod.nemovideo.ai) to upload images, create a session, stream events, and request renders. The declared primary credential (NEMO_TOKEN) is appropriate for that API. Minor inconsistency: the registry summary listed no required config paths, but the skill's YAML frontmatter includes a configPaths entry (~/.config/nemovideo/). This mismatch is unexplained but not necessarily malicious.
Instruction Scope: okThe instructions stay within the video-rendering domain: check/get a NEMO_TOKEN, create a session, upload files, read SSE, poll state, and request renders. The steps explicitly reference only the service endpoints and expected headers. The skill will send user-uploaded media to the remote service (expected for this functionality). It does read environment and install-path info only to derive headers/attributes — nothing in the visible SKILL.md instructs reading unrelated user files or other credentials.
Install Mechanism: okInstruction-only skill with no install spec and no code files present; nothing is written to disk or downloaded by an installer. This is the lowest-risk install pattern.
Credentials: noteOnly one credential is required (NEMO_TOKEN), which matches the described API usage. The SKILL.md also describes generating an anonymous token by POSTing to the provider if no NEMO_TOKEN is set (token is then used as NEMO_TOKEN). That automatic token acquisition is reasonable for anonymous usage, but users should understand it will create and store a short-lived credential (100 free credits, 7‑day expiry). Also note the inconsistent configPaths declaration between registry metadata and the YAML frontmatter — the skill claims access to ~/.config/nemovideo/ in the frontmatter, which could contain additional credentials or config.
Persistence & Privilege: okalways is false and there is no install script or request to modify other skills or system-wide settings. The skill can be invoked autonomously (disable-model-invocation: false), which is the platform default; this is expected and not by itself a concern.