Back to skill
Skillv1.0.0
ClawScan security
Video Producer Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 19, 2026, 1:29 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's described functionality (cloud video processing) matches its network calls and token usage, but there are small inconsistencies and privacy-relevant instructions (auto-creating/storing tokens, detecting install paths, uploading user files to a third-party API) that you should understand before installing.
- Guidance
- This skill appears to actually implement cloud video processing, but it will: (1) contact an external endpoint (mega-api-prod.nemovideo.ai) to mint an anonymous token if you don't supply one, (2) create and store session IDs for job management, and (3) upload any files you provide to that third-party service. Before installing or using it, confirm you trust that service for handling your footage (especially sensitive content). Ask the publisher to clarify the config path usage (~/.config/nemovideo/) and where session tokens and session_id are stored and for how long. If you prefer, provide your own NEMO_TOKEN rather than letting the skill auto-generate it, and avoid uploading highly sensitive videos until you verify the provider's privacy/security practices.
Review Dimensions
- Purpose & Capability
- noteThe name/description (cloud video production) aligns with the API endpoints and the single required credential (NEMO_TOKEN). However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch is unexplained and worth asking the author to clarify.
- Instruction Scope
- concernThe instructions tell the agent to autonomously obtain an anonymous token (POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token), create and reuse sessions, and upload files (multipart or URL). They also instruct the agent to detect install paths to set X-Skill-Platform (which requires probing filesystem paths). These behaviors are logically related to the skill but include automatic token acquisition/storage and silent backend calls that could result in user files being sent to a third-party service without an explicit, user-confirmed step.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code files, so nothing will be written to disk by an installer. That reduces code-supply risk.
- Credentials
- noteOnly one credential (NEMO_TOKEN) is declared, which is proportionate to a cloud API. The skill instructs creating an anonymous token if none is present — reasonable for a guest mode, but it means the skill will call the external auth endpoint and will store/hold that token for subsequent requests. The inconsistency between registry configPaths (none) and the SKILL.md frontmatter (~/.config/nemovideo/) is a small red flag about what filesystem locations the skill may access.
- Persistence & Privilege
- okalways is false and the skill is not requesting elevated platform privileges. It does instruct storing session_id and token for subsequent calls (normal for a session-based API), but it does not declare or request permanent always-on presence.