Back to skill
Skillv1.0.0
ClawScan security
Generator From Audio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 6:08 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are internally consistent with a cloud-based audio→video service, but it will create/use tokens and upload user audio to an external API and the package has no provenance info — review before use.
- Guidance
- This skill is coherent for converting audio to video via the nemo backend, but it will: (1) upload your audio to https://mega-api-prod.nemovideo.ai for cloud processing; (2) generate or use an auth token (it can auto-create an anonymous token tied to a generated client UUID) and will store session IDs/tokens for subsequent requests; and (3) may read install/config paths to set attribution headers. Before installing, decide whether you are comfortable with your audio being sent to that external service and with the skill storing tokens/sessions (local or remote). If you prefer tighter control: set NEMO_TOKEN yourself rather than allowing anonymous token creation, avoid uploading sensitive audio, and verify the service's privacy/retention policy. Also note the skill’s source/homepage is unknown — exercise normal caution with unvetted skills.
Review Dimensions
- Purpose & Capability
- okName/description match the required credential and API calls: the skill converts audio to video through the nemo video service and therefore legitimately needs a NEMO_TOKEN and endpoints under nemovideo.ai. Required env var (NEMO_TOKEN) is proportionate to the stated purpose.
- Instruction Scope
- noteSKILL.md tells the agent to perform network operations (obtain anonymous token, create session, upload files, start exports, poll render status) and to upload user audio to the remote backend — which is expected for this service. It also instructs generating/storing anonymous tokens and detecting install paths to set an X-Skill-Platform header; detection implies reading certain filesystem paths. These actions are within the skill's purpose but involve transmitting user files and storing tokens, so be aware of data exfiltration/retention choices.
- Install Mechanism
- okNo install spec or bundled code — this is instruction-only, so nothing is written to disk by an installer. That minimizes supply-chain risk, though runtime network calls are required.
- Credentials
- okOnly one credential (NEMO_TOKEN) is declared and used. The skill also offers to generate an anonymous token if NEMO_TOKEN is absent; this is consistent with the backend's auth model. Metadata mentions a config path (~/.config/nemovideo/) but the instructions primarily check the environment variable — minor mismatch but not disproportionate.
- Persistence & Privilege
- notealways:false (no forced presence). The skill instructs storing a session_id/token for subsequent requests and metadata lists a config path; that implies the agent may persist credentials or session state locally. This is plausible for convenience but users should be aware tokens/sessions may be written to disk or retained by the remote service.