Skillv1.0.0

ClawScan security

Ai Video Face Swap Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 5:18 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are internally consistent with a cloud-based video face‑swap service, but it will upload user videos to an external API and the publisher/source is unknown — review privacy and token handling before use.
Guidance: This skill appears to do what it says: it uploads user videos to an external cloud service (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN (or it can request an anonymous token). Before installing, consider: (1) privacy — you will be uploading video/audio that may contain faces or other sensitive content; check the service's privacy policy and retention rules (no homepage was provided here); (2) token stewardship — the NEMO_TOKEN grants API access, so only use a token you trust and verify where/if the skill will store it (metadata suggests ~/.config/nemovideo/ may be involved); (3) provenance — the skill author and homepage are unknown, so if you need strong assurance about data handling, ask the publisher for a privacy/terms link or prefer a known provider. If you accept those risks and trust the service, the skill's behavior is coherent with its stated purpose.

Review Dimensions

Purpose & Capability: okThe name/description match the requested env var (NEMO_TOKEN) and the SKILL.md describes HTTP endpoints for uploading, session creation, streaming, credit checks and exports — all expected for a cloud face-swap service.
Instruction Scope: noteInstructions direct the agent to obtain/use NEMO_TOKEN (or request an anonymous token), create sessions, upload user media, read SSE streams and poll state — these are required for the advertised function. Note: the skill will transmit users' video/audio files to an external endpoint (mega-api-prod.nemovideo.ai), which is expected for this functionality but has privacy implications. The YAML metadata references a config path (~/.config/nemovideo/) though the body does not explicitly say when/where to read/write it; storage location for tokens/session IDs is unspecified.
Install Mechanism: okNo install spec or external downloads — instruction-only skill. Nothing is written to disk by an installer step, reducing supply-chain risk.
Credentials: noteOnly one credential is required (NEMO_TOKEN), which is proportionate for an authenticated API. The skill can also generate an anonymous token itself if none is present. Be aware that the token grants access to the external service and the skill will upload potentially sensitive video content to that service.
Persistence & Privilege: notealways:false and autonomous invocation defaults unchanged. The skill instructs saving a session_id but does not specify persistence location or retention policy; metadata lists a config path (~/.config/nemovideo/) which implies local storage may be used — clarify where tokens/session IDs are saved and how long they persist.