Skillv1.0.0

ClawScan security

Zsky Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 14, 2026, 10:37 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are internally consistent with a cloud-based AI video editing service; it only needs a single service token and talks exclusively to the nemovideo.ai API described in the docs.
Guidance: This skill appears to do what it says: it will upload your video files to a nemovideo.ai backend using a NEMO_TOKEN (or fetch an anonymous token). Before installing or using it, consider: (1) The backend domain is external and the service will receive any uploaded video and metadata — do not upload sensitive videos you wouldn't want transmitted off-device. (2) The skill can auto-create a short-lived anonymous token (100 free credits, 7-day expiry); if you prefer, provide your own NEMO_TOKEN instead of using anonymous auth. (3) The metadata mentions a config path (~/.config/nemovideo/) even though the instructions don't use it — check what data (if any) would be read from that location in your environment. (4) Verify you trust the unknown publisher/endpoint since there is no homepage or known vendor listed. If any of these are unacceptable, do not enable the skill or only use it with non-sensitive test videos.

Purpose & Capability: okName/description match the declared API endpoints and the single required credential (NEMO_TOKEN). Asking for a service token and a session lifecycle is proportionate for a cloud video-rendering skill.
Instruction Scope: noteSKILL.md instructs the agent to check the NEMO_TOKEN, obtain an anonymous token from the stated nemovideo.ai endpoint if missing, create sessions, upload files, use SSE, poll render status, and download results — all consistent with a remote rendering workflow. The file-upload behavior will require reading user-specified video files (expected). The skill also describes detecting install path (~/.clawhub, ~/.cursor/skills) to populate X-Skill-Platform headers; that implies reading/install-path detection but does not request unrelated files or credentials.
Install Mechanism: okInstruction-only skill with no install spec or code to write to disk; lowest-risk install footprint.
Credentials: noteOnly NEMO_TOKEN is required which matches the API usage. Metadata lists a config path (~/.config/nemovideo/) that the instructions do not explicitly reference — this is not necessarily malicious but is an unexplained artifact to be aware of.
Persistence & Privilege: okalways:false and no request to modify other skills or system-wide config. The skill can be invoked autonomously (platform default) which is expected for a user-invocable integration.