Skillv1.0.0

ClawScan security

Kiss Video Maker Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 5:34 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-hosted video creation service: it needs a single NEMO_TOKEN and talks to a nemovideo.ai API to upload media and trigger renders.
Guidance: This skill appears to do what it says: it uploads your photos/videos to a remote nemovideo.ai service and returns rendered MP4s. Before installing or using it, consider: (1) Privacy — your media will leave your device and be stored/processed by the remote service; review the service's privacy/terms if possible. (2) Credentials — the skill needs a NEMO_TOKEN (or it will auto-request an anonymous token); avoid supplying any high-privilege or unrelated secrets. (3) Metadata mismatch — the SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) while the registry metadata lists no config paths; ask the publisher to clarify what local files (if any) the skill will read. (4) Origin — source/homepage are unknown; if you need assurance, request publisher identity or a public homepage before trusting sensitive media. If these points are acceptable, the skill is internally coherent and limited to its advertised cloud-rendering role.

Review Dimensions

Purpose & Capability: okThe name/description (create kiss-themed videos from photos/clips) matches the runtime instructions and the single required credential (NEMO_TOKEN). All declared endpoints and actions (upload, render, credits, state) are coherent with a remote video-rendering service.
Instruction Scope: noteInstructions direct the agent to upload user media and stream server-sent events from mega-api-prod.nemovideo.ai — this is expected for the stated purpose. The SKILL.md also instructs the agent to read/detect the skill install path (to set X-Skill-Platform) and to use a config path (~/.config/nemovideo/) in its frontmatter metadata; reading install paths or config files is outside pure video processing but appears limited to attribution/metadata. The instructions do not ask for unrelated system credentials or other files, but they will send user media to an external service (privacy consideration).
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk (nothing is downloaded or written by an install script). All network interactions occur at runtime via the described API endpoints.
Credentials: noteOnly one environment variable is required: NEMO_TOKEN (primary credential) which is appropriate for an API-backed video service. If NEMO_TOKEN is absent the instructions generate an anonymous token via the service's anonymous-token endpoint — expected but means the skill will obtain and use temporary credentials automatically. There is a minor metadata mismatch: top-level registry info showed no required config paths, but the SKILL.md frontmatter declares configPaths (~/.config/nemovideo/).
Persistence & Privilege: okSkill does not request always:true and uses default autonomous invocation. It does not ask to modify other skills or system-wide settings. The only filesystem probing is for attribution/install-path detection and an optional service config path mentioned in frontmatter.