Skillv1.0.0

ClawScan security

Mp3 Editor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 12:43 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared requirements and runtime instructions are consistent with an AI-driven cloud audio/video editing service that uploads user files to nemo video APIs, but the publisher and service domain are unknown so exercise caution with sensitive audio and tokens.
Guidance: This skill uploads any audio you give it to an external service (mega-api-prod.nemovideo.ai) and uses a bearer token (NEMO_TOKEN) for auth; if NEMO_TOKEN is not provided it will create a short-lived anonymous token. Before installing/using: (1) confirm you trust the service and the publisher (no homepage or reputable owner listed here), (2) avoid uploading sensitive audio until you verify privacy/retention policies, (3) prefer using an account-specific token you can revoke rather than a long-lived secret stored in env, and (4) monitor or delete any saved session tokens or files in your account on the service after use. If you want higher assurance, ask the publisher for a homepage, privacy policy, and official SDK/release references for nemovideo.ai.

Review Dimensions

Purpose & Capability: okName/description (MP3 editing and exporting MP4) aligns with the declared requirement (NEMO_TOKEN) and the SKILL.md which describes a remote render API. Required env var and config path (NEMO_TOKEN and ~/.config/nemovideo/) are plausible for a cloud video-processing integration.
Instruction Scope: noteSKILL.md instructs the agent to obtain/use a bearer NEMO_TOKEN (or generate an anonymous token via nemovideo API), create a session, upload user audio files, stream SSE messages, poll render status, and return a remote download URL. All of these are consistent with the stated purpose. The instructions also ask the agent to read this file's frontmatter and detect install path to populate attribution headers — this requires limited filesystem inspection. The notable runtime behavior is that user audio files and session tokens are transmitted to an external service (mega-api-prod.nemovideo.ai). This is expected for a cloud service but is the primary privacy surface to consider.
Install Mechanism: okNo install step and no code files — instruction-only skill — so nothing is written to disk by an installer. This is the lowest install risk.
Credentials: okOnly one required environment variable (NEMO_TOKEN) and an optional config path are declared; these are directly used for API auth and local config. No unrelated secrets or broad credential access are requested.
Persistence & Privilege: okalways:false and normal autonomous invocation settings. The skill instructs saving session_id/tokens for operation (normal for a sessioned API) but does not request elevated or cross-skill configuration changes.