Skillv1.0.0

ClawScan security

Maker Free Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 4:52 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud video‑rendering service: it needs a NEMO_TOKEN (or will request an anonymous token), sends user media to a nemovideo.ai API, and contains no install steps or unrelated credential requests.
Guidance: This skill appears to do what it says: it uploads images/clips to an external nemovideo.ai service to render videos and uses a single credential (NEMO_TOKEN) or an anonymous token the skill will request on your behalf. Before installing or using it: (1) do not upload sensitive images or files you wouldn’t want sent to a third party; (2) confirm you trust the external domain (mega-api-prod.nemovideo.ai) since media and metadata will be transmitted there; (3) be aware the skill may obtain an anonymous short‑lived token if you don’t provide NEMO_TOKEN; (4) note the SKILL metadata mentions a config path (~/.config/nemovideo/) but the instructions don’t use it — a small inconsistency to be aware of; (5) if you plan to provide a persistent NEMO_TOKEN, ensure it’s scoped appropriately and not reused from unrelated services. If you need higher assurance, request the publisher’s homepage/privacy policy or ask for explicit data retention and deletion details from the service before uploading production or sensitive media.

Review Dimensions

Purpose & Capability: okThe skill claims to convert images/clips into videos and the instructions only reference a single external video-rendering API (mega-api-prod.nemovideo.ai) and a single credential (NEMO_TOKEN). There are no unrelated credentials or binaries requested.
Instruction Scope: noteInstructions clearly direct the agent to upload user-provided media and to use SSE and other API endpoints on the external service. This is expected for a cloud renderer, but it means user files and metadata are transmitted off-host. The skill also includes logic to obtain an anonymous token if NEMO_TOKEN is absent and to create sessions and poll export state. Nothing in the SKILL.md instructs the agent to read unrelated system files or secrets, but the behavior of transmitting user media externally is a privacy consideration the user should understand.
Install Mechanism: okNo install spec or code is included — instruction-only — so nothing is written to disk or executed locally beyond normal agent actions. This is the lowest-risk install posture.
Credentials: noteOnly one environment variable (NEMO_TOKEN) is required, which is proportionate to the declared purpose. The frontmatter also lists a config path (~/.config/nemovideo/) that the SKILL.md never references — a minor metadata/instruction mismatch but not itself dangerous.
Persistence & Privilege: okThe skill does not request always:true or any elevated persistence. It runs on demand and uses the agent's normal ability to call external APIs. Autonomous invocation is allowed by default but not unusual; nothing else elevates its privileges.