Skillv1.0.0

ClawScan security

Korean Photo Video Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 11, 2026, 12:59 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions match its stated purpose (uploading photos and requesting a render from a remote video service); nothing requested appears unrelated to making Korean slideshow videos, but it will upload your images to a third‑party API and use a NEMO_TOKEN or anonymous token for that.
Guidance: This skill behaves like a thin client for a third‑party video service: it will upload the images you provide to https://mega-api-prod.nemovideo.ai and use either your NEMO_TOKEN or a generated anonymous token. Before installing or using it: (1) confirm you trust the nemovideo.ai service and are comfortable uploading the images (do not send sensitive or private photos unless you accept remote processing and storage), (2) if you provide a real NEMO_TOKEN, ensure it has minimal scope and be prepared to rotate/revoke it later, (3) note the SKILL.md references a config path (~/.config/nemovideo/) that the registry listing did not — ask the publisher why that path is needed and whether the skill will read local config files, and (4) because this is instruction-only, review network endpoints and headers used by the skill; if you want stronger isolation, use a disposable/limited token or anonymized images. If you need a more cautious verdict, request the publisher's privacy/security documentation or any code/install scripts (there are none here) so I can re-evaluate.

Purpose & Capability: okName/description align with what the instructions do: create a session, upload image files, request renders, poll for results on mega-api-prod.nemovideo.ai. The required environment variable (NEMO_TOKEN) is appropriate for an API-backed render service.
Instruction Scope: noteInstructions are focused on session creation, SSE chat, uploads, and export polling. They explicitly instruct uploading user images to the remote API (expected for this service) and obtaining an anonymous token if no NEMO_TOKEN is present. No instructions ask the agent to read unrelated local files or secrets, but the SKILL.md metadata references a config path (~/.config/nemovideo/) and install-path-derived headers which implies the agent may inspect install/config locations; registry metadata earlier did not list that config path, an inconsistency to be aware of.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. All runtime behavior is network calls to the documented API host.
Credentials: okOnly NEMO_TOKEN is declared as required and used for API requests; SKILL.md also supports generating a short-lived anonymous token if none is present. No unrelated credentials are requested.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated platform privileges. It does not attempt to modify other skills or system-wide settings in the instructions.