Skillv1.0.0

ClawScan security

Video Drama · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 18, 2026, 2:56 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill’s declared purpose (cloud video editing) matches most of its instructions, but there are inconsistencies about config paths and the skill will upload your videos and obtain/hold tokens with a third‑party backend you cannot verify — review before use.
Guidance: This skill delegates all processing to a third‑party service (https://mega-api-prod.nemovideo.ai). Before installing or using it: (1) understand that any video you upload will be transmitted to that service — do not send sensitive or private footage without confirming data handling and retention policies; (2) ask the author to explain the config path discrepancy (~/.config/nemovideo/) and to confirm whether the skill will read or write local config files; (3) verify where and how NEMO_TOKEN (or the anonymous token it creates) is stored and for how long jobs/outputs are retained; (4) request a homepage or privacy/security documentation and confirm the API domain is legitimate; (5) if you must use this with confidential material, prefer an alternative that runs locally or uses a vendor you trust. If the author can justify the config-path use and provide privacy terms, the inconsistencies become less concerning.

Review Dimensions

Purpose & Capability: noteName/description (cloud video editing) aligns with the runtime instructions (session creation, upload, render, export). The required env var NEMO_TOKEN is consistent with a cloud API. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that is not listed in the registry metadata — this mismatch should be explained by the author.
Instruction Scope: okInstructions are narrowly focused on connecting to a remote rendering API: check/acquire a token, create a session, upload files, drive SSE, poll render status, and return a download URL. There is no instruction to read arbitrary local files beyond the uploaded video path. The skill will, however, prompt automatic token acquisition and will transmit user-supplied video clips to the remote endpoint, which is expected but privacy‑sensitive.
Install Mechanism: okNo install spec and no code files — the skill is instruction-only, which minimizes on-disk risk. Network activity to the described API is required at runtime.
Credentials: concernOnly NEMO_TOKEN is declared as required, which is proportionate. But two issues raise concern: (1) SKILL.md shows it will obtain an anonymous token itself if NEMO_TOKEN is missing (so network access and token storage are part of flow), and (2) the SKILL.md metadata mentions a config path (~/.config/nemovideo/) even though registry metadata listed none. That suggests the skill may look for or use local config files — the reason for that access is not stated.
Persistence & Privilege: okalways is false and nothing in the instructions requests persistent system-level privileges or modification of other skills. Session tokens and job IDs are kept for operations, which is expected for a remote-render workflow.