Skillv1.0.0

ClawScan security

Photo Video Tiktok · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 11, 2026, 8:13 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (turn photos into TikTok-ready videos) but contains inconsistencies (metadata vs registry) and asks the agent to derive headers from local install/config paths, which is unexpected and worth clarifying before use.
Guidance: This skill appears to do what it claims (upload photos, call a cloud render API, return a video) and only needs a NEMO_TOKEN, but there are two things to check before installing or using it: (1) Metadata mismatch — the SKILL.md frontmatter references a local config directory (~/.config/nemovideo/) and asks the agent to detect the install path to set an attribution header. Ask the author why the skill needs to inspect local install/config paths and whether any files there are read. (2) Network endpoints — this skill will POST images and create sessions at https://mega-api-prod.nemovideo.ai; confirm you trust that domain and review its privacy/retention policy before uploading sensitive images. Practical precautions: provide only non-sensitive test images at first, avoid supplying real account credentials (use the anonymous token flow if available), and request clarification from the publisher about the config path and header derivation behavior. If the author confirms the config path is unused or optional, the concerns here are minor; if not, consider this a privacy risk.

Review Dimensions

Purpose & Capability: noteThe skill's name and description align with its runtime instructions to upload images and request rendered MP4s from a cloud backend. Requesting a single NEMO_TOKEN credential is proportionate for a cloud video service. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — that mismatch is unexplained and could indicate the skill expects to read local configuration files.
Instruction Scope: concernInstructions instruct the agent to check NEMO_TOKEN, and if absent to call an anonymous-token endpoint and use the returned token. They also specify deriving attribution headers (including X-Skill-Platform) by detecting the skill install path (e.g., ~/.clawhub/, ~/.cursor/skills/) and refer to a local config path in the YAML frontmatter. Asking the agent to inspect install paths or local config directories goes beyond simply sending user-provided images and could access local state unrelated to converting photos to video. Other actions (uploads, SSE, polling renders) are within the stated purpose.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — low install risk. Nothing will be downloaded or written by an automatic installer per the provided metadata.
Credentials: concernOnly NEMO_TOKEN is declared as required, which is reasonable. But the frontmatter also lists a config path (~/.config/nemovideo/) that was not declared in the registry 'Required config paths' field — an unexplained additional local access. The skill also instructs creation and use of an anonymous token if NEMO_TOKEN is missing (reasonable), but the need to read install/config paths to compose headers is not justified by the description.
Persistence & Privilege: okThe skill is not marked 'always' and is user-invocable. It relies on ephemeral session tokens and API calls. There is no evidence it requests ongoing elevated privileges or modifies other skills or system-wide settings.