Skillv1.0.0

ClawScan security

Free Video Generator Capcut · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 16, 2026, 5:46 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (automatic token issuance and uploading user media to an external rendering backend) matches its stated purpose, but there are metadata inconsistencies, no publisher/homepage, and the runtime instructions ask the agent to create and use tokens and inspect install/config paths — things you should understand before trusting it with your files.
Guidance: This skill will upload your videos/images to an external service (mega-api-prod.nemovideo.ai) and will obtain or use an Authorization token (NEMO_TOKEN). Before installing: 1) Be comfortable with an unknown publisher and no homepage — you have limited ability to audit the backend. 2) Avoid uploading sensitive or private footage unless you trust the service. 3) Decide whether to preset NEMO_TOKEN yourself (so the skill doesn't call the anonymous-token endpoint) or allow the agent to request one automatically. 4) Ask the publisher for documentation or a privacy/terms link and confirm where tokens/session data are stored (in memory only vs written to ~/.config/nemovideo/). 5) If you need stronger assurance, prefer a skill from a known publisher or one with a verifiable homepage/source code.

Review Dimensions

Purpose & Capability: noteThe skill's declared purpose (cloud video editing) aligns with the single required credential (NEMO_TOKEN) and the HTTP endpoints described. However, the SKILL.md includes a config path (~/.config/nemovideo/) in its YAML metadata while the registry summary above listed no required config paths — this mismatch is unexplained. Also the skill source/publisher is unknown and no homepage is provided, which reduces traceability.
Instruction Scope: concernRuntime instructions tell the agent to automatically obtain anonymous tokens, create sessions, upload user media, stream SSE interactions, poll render status, and derive attribution headers (including detecting an install path like ~/.clawhub/). These actions require network access and transmission of user media to an external service (mega-api-prod.nemovideo.ai). The instructions also imply reading the agent's install path to set X-Skill-Platform and mention storing session_id/token for subsequent requests. While these steps are coherent with cloud rendering, they expand scope beyond purely local processing and merit user awareness.
Install Mechanism: okThere is no install spec and no code files; this is instruction-only, so nothing will be written to disk by an installer. That reduces installation risk.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared as required and used for Authorization, which is proportionate for a cloud API. However, the SKILL.md also references a config path (~/.config/nemovideo/) and infers the install location to set headers — neither of which is declared in the registry header (inconsistency). The skill's anonymous-token flow will create and use ephemeral credentials if NEMO_TOKEN is not present; consider whether you want the agent to perform that network auth flow automatically.
Persistence & Privilege: okThe skill is not force-included (always:false) and is user-invocable. It asks to store session IDs/tokens for the session, but there is no install step that modifies other skills or system-wide settings. Autonomous invocation is allowed (default), but that alone is normal and not flagged.