Skillv1.0.0

ClawScan security

Karaoke Lyric Video Maker Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 7:53 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly match a karaoke-video-for-a-service workflow, but there are metadata inconsistencies and undeclared filesystem/installation-path checks that don't fully add up — review before installing.
Guidance: This skill appears to implement a client for an external service (nemovideo.ai) and needs a NEMO_TOKEN to operate; that is expected. Before installing: 1) Verify the skill publisher and service domain (mega-api-prod.nemovideo.ai) — source is listed as unknown here. 2) Confirm you are comfortable uploading audio files and any lyric files — they will be sent to the external API. 3) Ask the publisher why SKILL.md metadata lists a local config path (~/.config/nemovideo/) and why the agent must detect install paths — this implies filesystem access that wasn't declared in the top-level registry. 4) Only provide a token scoped to this service (avoid reusing high-privilege or cloud provider credentials). If the publisher/source is verified and they confirm the configPath/install-path checks are optional telemetry, the concerns would be resolved and this could be treated as coherent.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (create synced lyric videos) matches the runtime behavior (upload audio, request renders, return download URL). Requesting a service token (NEMO_TOKEN) is expected. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that the registry metadata did not declare, creating an inconsistency about whether the skill will read local config files.
Instruction Scope: concernInstructions direct the agent to call external nemovideo.ai endpoints, accept user audio uploads, create session tokens, and persist a session_id — all expected. But the doc also tells the agent to detect an install path to set X-Skill-Platform (e.g., checking ~/.clawhub/ or ~/.cursor/skills/) and mentions a local config path in metadata. Those checks imply filesystem inspection not declared in the registry and are outside the minimal needs for a simple API client.
Install Mechanism: okNo install spec or code files — instruction-only skill. Lowest install risk (nothing written to disk by the skill itself).
Credentials: noteThe only required environment credential is NEMO_TOKEN, which is proportionate to accessing the nemovideo API. However the embedded metadata's configPaths entry suggests the skill might read ~/.config/nemovideo/, which was not declared in the top-level registry fields — an unexplained extra access request.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide privileges. It will create session state with the remote service (session_id) which is normal for this use case.