Back to skill
Skillv1.0.0
ClawScan security
Maker Easy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 28, 2026, 12:35 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared requirements and runtime instructions mostly match a cloud video-editing service, but there are small inconsistencies (metadata vs SKILL.md) and it will obtain and use bearer tokens and communicate with an external API you should trust.
- Guidance
- This skill is coherent with a cloud video-editing service and only needs a single API token (NEMO_TOKEN). Before installing: 1) Confirm you trust the backend domain (mega-api-prod.nemovideo.ai) and the skill owner (no homepage or docs are provided). 2) Treat any NEMO_TOKEN like a credential — if it's a personal account token, consider creating a limited test token or using the anonymous flow instead. 3) Note the SKILL.md mentions a local config path (~/.config/nemovideo/) but the registry metadata doesn't — ask the publisher whether any local files will be read or written. 4) Avoid sending sensitive video/audio until you verify privacy/retention and billing/credit behavior, since uploads go to an external service. If you want higher assurance, request the skill’s source or official docs and verify the API endpoints and ownership before use.
Review Dimensions
- Purpose & Capability
- noteName/description match the runtime instructions: the skill routes uploads and editing commands to a cloud video backend (mega-api-prod.nemovideo.ai). Requesting a single NEMO_TOKEN credential is appropriate. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata said 'required config paths: none' — this mismatch is an incoherence to clarify.
- Instruction Scope
- okSKILL.md limits actions to: checking/using NEMO_TOKEN, optionally obtaining an anonymous token via the documented auth endpoint, creating sessions, uploading files, streaming SSE, polling state and kicking off renders. It instructs not to expose tokens/raw API output. It does reference detecting install path (~/.clawhub/, ~/.cursor/skills/) to set an attribution header, which implies reading the agent filesystem path but stays within the skill's stated purpose.
- Install Mechanism
- okInstruction-only skill (no install, no code files). Lowest install risk; nothing is written to disk by an installer step.
- Credentials
- noteOnly NEMO_TOKEN is required and is the primary credential — appropriate for a cloud API client. The skill will also create and use an anonymous token if NEMO_TOKEN is not present (via the public auth endpoint). The earlier-described mismatch about a declared config path in SKILL.md vs registry metadata raises a question about whether the skill expects local config files.
- Persistence & Privilege
- okalways:false and no indication the skill modifies other skills or system-wide settings. It stores a session_id in-memory for the session lifecycle, which is normal for this kind of integration.