Skillv1.0.0

ClawScan security

Arch Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 17, 2026, 4:59 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud video-editing integration that needs a single API token; nothing obvious is requesting unrelated credentials or privileged system access, but there are a few small inconsistencies and privacy considerations to review before use.
Guidance: This skill looks like a straightforward connector to an external nemovideo API and needs one token (NEMO_TOKEN). Before installing: 1) Confirm you trust the external domain (mega-api-prod.nemovideo.ai) and its privacy/storage policies because your video files and derived outputs will be uploaded there. 2) Clarify the config path behavior — SKILL.md references ~/.config/nemovideo/ (possible local storage of tokens/session_id) even though registry metadata omitted it. 3) If you don't already have a trusted NEMO_TOKEN, the skill can request an anonymous token for 7 days — be aware that anonymous tokens grant credits and are still sent in Authorization headers. 4) Avoid uploading sensitive or legally protected footage until you verify data retention and sharing terms. If you want higher assurance, ask the skill author for a privacy/data-retention statement or for the API service's official homepage and docs before proceeding.

Review Dimensions

Purpose & Capability: noteThe skill declares a single primary credential (NEMO_TOKEN) and its SKILL.md describes calls to a nemovideo API to upload, edit, and render videos — this matches the stated purpose. Minor inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths.
Instruction Scope: noteRuntime instructions are focused on session/auth, uploading user video files, SSE editing, and polling for export results — all expected for a cloud editor. They explicitly instruct generating or using a NEMO_TOKEN and saving session_id. The instructions require constructing custom attribution headers (X-Skill-Source/Version/Platform) and ask to auto-detect platform from an install path, which could cause the agent to inspect its environment/install path; this is a minor scope expansion but explainable by the header requirement.
Install Mechanism: okNo install step or downloadable code is present; the skill is instruction-only so it does not write files or pull remote archives. This is the lowest install risk.
Credentials: noteOnly NEMO_TOKEN is required (and the skill provides a path to obtain an anonymous token if not provided), which is proportional for a service that requires authentication. The frontmatter's configPaths entry (~/.config/nemovideo/) is present in SKILL.md but was not listed in the registry’s 'required config paths' — that mismatch should be clarified because it implies the skill may read or store credentials/session info on disk.
Persistence & Privilege: okalways:false (not force-included) and normal autonomous invocation are used. The skill expects to create and reuse a session_id and may persist a token/session info (frontmatter config path), which is standard for API clients but the user should confirm where tokens are stored and for how long.