Skillv1.0.0

ClawScan security

Caption Generator By Image · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 5:51 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a remote image→caption/video rendering service and don't ask for unrelated system access, but it will obtain and use a service token and talk to an external API so you should trust that backend before uploading sensitive images.
Guidance: This skill talks to a remote service (mega-api-prod.nemovideo.ai), will use or obtain a bearer token (NEMO_TOKEN), and uploads images for server-side rendering. Before installing: confirm you trust nemovideo.ai, do not upload sensitive or private images unless you accept their data handling, consider pre-providing a token you control rather than letting the skill generate one, and check whether tokens/sessions are stored locally in ~/.config/nemovideo/ so you can delete/revoke them later.

Review Dimensions

Purpose & Capability: okThe name/description (caption-to-video rendering) matches the declared requirement (NEMO_TOKEN) and the SKILL.md which describes using nemovideo.ai APIs. The metadata config path (~/.config/nemovideo/) is plausible for storing session/token state.
Instruction Scope: noteInstructions are focused on creating/using a session, uploading media, SSE streaming, polling render status, and exporting results. The skill auto-obtains an anonymous token from https://mega-api-prod.nemovideo.ai if NEMO_TOKEN is absent and directs where to POST/upload files. It also instructs the agent to detect install path to set X-Skill-Platform headers. There are no instructions to read unrelated system files or other environment variables, but the behaviour of auto-creating/storing tokens and reading install/config paths should be expected and considered.
Install Mechanism: okNo install spec or third-party downloads: this is an instruction-only skill (lowest install risk).
Credentials: okOnly one credential (NEMO_TOKEN) is required and is plausibly the API bearer token for the described backend. The SKILL.md describing an anonymous-token endpoint explains how a token can be obtained when none is provided, so the env requirement is proportional.
Persistence & Privilege: okThe skill is not always-enabled and doesn't request elevated platform privileges. It does reference a local config path (~/.config/nemovideo/) for session/token storage which is consistent with persistent client state for the service.