Skillv1.0.0

ClawScan security

Best App To Add Music To Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 8:27 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions and requirements are coherent for a cloud-based video-to-music service, but the publisher/source is unknown, the skill sends user videos to a third-party API and stores tokens/session state, and there is no external vetting or homepage — review privacy and token use before installing.
Guidance: This skill appears to do what it says (upload a video, add music, return a rendered file), but you should be cautious before installing: - The skill will upload your videos and session tokens to https://mega-api-prod.nemovideo.ai. Do NOT send sensitive or private footage unless you trust that domain and its privacy policy. - NEMO_TOKEN is a secret (Bearer token). Confirm what account it unlocks; don't paste high-privilege or payment-enabled tokens unless you accept that risk. Prefer using the anonymous-token flow if you want limited, short-lived access. - The skill metadata lists a local config path (~/.config/nemovideo/) where it may store tokens/session IDs — check and audit that folder if concerned about persisted secrets. - There is no homepage or source repository provided and the publisher is unknown. Try to verify the service/domain independently (search for nemo video / nemovideo.ai) or ask the publisher for links, privacy policy, and documentation before trusting it with real content. - If you must use it: test with non-sensitive sample videos, inspect any created config files, and rotate/revoke tokens after use. If you need higher assurance, request source/docs or prefer a skill with an auditable codebase.

Review Dimensions

Purpose & Capability: okName/description (add music and export videos) match the declared requirements: a single API token (NEMO_TOKEN) and a config path for a NemoVideo client. There are no unrelated binaries or extraneous credentials requested.
Instruction Scope: noteSKILL.md instructs the agent to obtain/use a Bearer token, create an anonymous token if none exists, create a session, upload user video files (multipart or URL), send SSE messages, poll render status, and return download URLs. Those actions are expected for this service. Important scope notes: user videos and session tokens are sent to an external API (mega-api-prod.nemovideo.ai); the skill expects to save session_id/token state (metadata includes ~/.config/nemovideo/); and it asks to auto-detect platform from install path — which may require reading environment/install paths. No instructions request unrelated system data, but the data leaving the agent is sensitive (media + tokens).
Install Mechanism: okNo install spec or code files are present (instruction-only skill). This is lowest install risk — nothing is downloaded or written by an installer according to the package manifest. Runtime behavior may still write to the declared config path.
Credentials: noteOnly one required environment variable (NEMO_TOKEN) and a config path are declared, which aligns with needing an API bearer token. That token provides full Bearer auth to the service and could grant account access or billing capabilities. The requirement is proportionate to the stated function, but because the token is effectively a secret, users should verify what account the token corresponds to and avoid supplying high-privilege credentials.
Persistence & Privilege: okalways:false (normal). The skill may persist session tokens and session_id under ~/.config/nemovideo/ (declared configPath) which is consistent with its functionality. It does not request elevated system privileges nor to alter other skills' configs. Autonomous invocation is allowed (platform default).