Skillv1.0.0

ClawScan security

Short Video Factory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 12:54 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a cloud-based video-rendering service, but there are provenance and minor coherence issues (unknown publisher, mismatched metadata, and filesystem checks) that you should understand before installing — the skill will upload your videos and use/obtain a bearer token for a third-party API.
Guidance: This skill appears to be a straightforward cloud-render client: it will upload whatever video files you give it and use a bearer token (NEMO_TOKEN or an anonymous token it can fetch) to call an external API at mega-api-prod.nemovideo.ai. That behavior is consistent with its purpose, but consider the following before installing: - Provenance: The skill has no known homepage or publisher details. If you care about privacy and attribution, prefer skills from known vendors. - Data exfiltration: Your raw video files (which may contain sensitive content) will be uploaded to the service. Only proceed if you trust the destination and its privacy terms. - Tokens and storage: The skill will use or obtain a bearer token and save session identifiers; avoid setting a long-lived or high-privilege token in NEMO_TOKEN unless you trust the service. Prefer the anonymous token flow for testing. - Filesystem checks: The skill may probe a few paths (~/.clawhub, ~/.cursor/skills/, ~/.config/nemovideo/) to set X-Skill-Platform or read its own frontmatter; this is limited but unexpected given the registry claim of no config paths. - Test safely: If you want to try it, test with non-sensitive, low-resolution clips and monitor network activity. Ask the publisher for a privacy policy/endpoints and confirm the domain is legitimate before uploading private content. If you want higher assurance, request the publisher/source code or an official homepage, or prefer a skill integrated with a vendor you trust.

Review Dimensions

Purpose & Capability: okThe name/description (short video editing) align with the instructions: the skill uploads source video, creates sessions, streams SSE edits, and requests renders from a remote API. Requesting a NEMO_TOKEN credential is coherent with a hosted rendering service.
Instruction Scope: noteRuntime instructions explicitly direct the agent to: read NEMO_TOKEN (if present) or obtain an anonymous token via POST; create a session and save session_id; upload local files (multipart) or URLs; poll render status; and add custom attribution headers. These are expected for a cloud render integration but do entail transmitting potentially large user files (videos) and session tokens to the external domain. The skill also instructs detecting install path (~/.clawhub, ~/.cursor/skills/) and reading YAML frontmatter for attribution — this requires limited filesystem inspection beyond the skill file.
Install Mechanism: okNo install spec or code files are present (instruction-only). That lowers disk/execute risk because nothing is downloaded or installed by the skill itself.
Credentials: concernThe declared primaryEnv NEMO_TOKEN is appropriate. However, metadata includes a configPaths entry (~/.config/nemovideo/) and the SKILL.md instructs filesystem checks to detect install path for the X-Skill-Platform header; these file-path expectations are inconsistent with the registry 'Required config paths: none' and mean the skill may probe a few user paths. Aside from NEMO_TOKEN, no unrelated secrets are requested.
Persistence & Privilege: okalways:false and normal autonomous invocation settings. The skill does not request persistent system-level privileges or to modify other skills. It will persist session_id and use tokens for API calls as part of normal operation.