Skillv1.0.0

ClawScan security

Free Free Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 18, 2026, 3:09 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video creation) mostly matches its instructions, but there are inconsistencies and privacy/networking behaviors you should understand before installing.
Guidance: This skill will upload your video files and related project data to a remote service (mega-api-prod.nemovideo.ai) and will obtain or use a NEMO_TOKEN for authorization. Confirm you trust that endpoint and the skill author before sending private or sensitive footage. Note the SKILL.md metadata mentions reading ~/.config/nemovideo/ and this file's frontmatter (to set attribution headers) — check whether you want the agent to read those paths. The package has no homepage and an unknown source; if you want stronger assurance, ask the author for a privacy policy, service terms, and a well-known homepage, or prefer providing your own NEMO_TOKEN only after verifying the service. Finally, be aware the agent will auto-request an anonymous token if none is set, which causes network traffic to the service even without you supplying credentials.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform cloud-based video editing and export; the SKILL.md describes upload, render, SSE, and export endpoints that align with that purpose. However the SKILL.md includes a required config path (~/.config/nemovideo/) in its frontmatter metadata while the registry summary presented earlier reported no required config paths — that's an inconsistency worth noting.
Instruction Scope: noteRuntime instructions direct the agent to upload user media, stream edits via SSE, poll job state, and include attribution headers. They also instruct the agent to read this file's YAML frontmatter and detect an install path (e.g., ~/.clawhub/ or ~/.cursor/skills/) to set X-Skill-Platform. These actions are consistent with a remote video service but mean user files and metadata will be sent to a third-party endpoint (mega-api-prod.nemovideo.ai). The instructions to auto-acquire an anonymous token if NEMO_TOKEN is missing mean the agent will contact that remote API without an externally-provided credential.
Install Mechanism: okInstruction-only skill with no install spec or code to be written to disk; lowest installation risk from a supply-chain perspective.
Credentials: noteOnly one declared credential (NEMO_TOKEN) is required and is appropriate for a remote service. The skill will, however, attempt to create/obtain an anonymous NEMO_TOKEN by POSTing to the service if no token is present, and the frontmatter suggests reading a config path (~/.config/nemovideo/). Both behaviors are plausible for this feature but increase data sent to the remote service and warrant user awareness.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges or modification of other skills' configurations. It can be invoked autonomously by the agent (default), which is normal — no additional persistence or system-wide changes are requested.