Skillv1.0.0

ClawScan security

Analyze Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 4:40 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's actions generally match a cloud video-analysis tool, but there are unexplained metadata mismatches, vague instructions about headers/attribution, and it will upload user videos to an external service (privacy/exfiltration risk) — confirm the service and data handling before use.
Guidance: This skill will send your video files to mega-api-prod.nemovideo.ai for processing and will create or use a NEMO_TOKEN to do so. Before installing or using it: 1) Verify you trust nemovideo.ai (no homepage/source listed); ask the publisher for a homepage, privacy policy, and data-retention policy. 2) Avoid uploading sensitive or confidential videos unless you confirm how long uploads are kept and who can access them. 3) Prefer providing your own NEMO_TOKEN (from a vetted account) rather than letting the skill fetch an anonymous token automatically. 4) Ask the author to resolve the metadata mismatch (declared configPaths vs registry) and to clarify the required HTTP headers and where session tokens are stored/cleared. 5) If you must test, do so with non-sensitive videos and monitor network activity or run in an isolated environment. If you need higher assurance, request the skill's source or a verified homepage before use.

Review Dimensions

Purpose & Capability: noteThe name/description (video analysis) aligns with the API calls and flows in SKILL.md (session creation, upload, render/export). Requiring a NEMO_TOKEN for a cloud API is coherent. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — minor inconsistency in declared requirements.
Instruction Scope: concernRuntime instructions direct the agent to upload user video files and session state to https://mega-api-prod.nemovideo.ai and to POST to an anonymous-token endpoint if no NEMO_TOKEN is present. Uploading user video content to a third-party cloud is expected for this functionality but is a significant privacy/security action that must be explicit to users. The doc also asks the agent to inspect install path to set X-Skill-Platform and to read the YAML frontmatter for attribution — both require local environment inspection. The SKILL.md also references 'the three attribution headers above' in a slightly vague way, which could cause incorrect header usage.
Install Mechanism: okNo install spec and no code files — instruction-only skill — so there is no additional install-time code being written to disk. This lowers installation risk. Network calls are specified in instructions, which is expected but worth noting.
Credentials: noteOnly NEMO_TOKEN is declared as required/primary, which fits a cloud API integration. The instructions, however, will obtain an anonymous token by POSTing to the vendor endpoint if NEMO_TOKEN is absent — this behavior is reasonable but should be explicit to users because it results in network-authentication and session creation without a pre-provided credential. The frontmatter's configPaths differs from the registry manifest (registry said none), which is an inconsistency to clarify.
Persistence & Privilege: okalways is false and autonomous invocation is allowed (platform default). The skill does not request elevated platform privileges or permanent presence. It does create sessions and tokens for the remote service, but there's no instruction to modify other skills or system-wide settings.