Skillv1.0.0

ClawScan security

Topmediai Ai Music · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 4:57 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud video/music generation tool and its single required credential (NEMO_TOKEN) — nothing in the package appears disproportionate to that purpose, though there are minor metadata inconsistencies and expected privacy/network concerns to consider.
Guidance: This skill appears to be a straightforward wrapper around a cloud rendering API (mega-api-prod.nemovideo.ai) and will upload your media and prompt text to that service. Before installing or using it: 1) Be comfortable that your videos/audio will be sent to the remote host and that generated or uploaded media may be stored/processed there. 2) Confirm you trust the NEMO_TOKEN you provide (know its scope and lifetime); if you don't set NEMO_TOKEN the skill will obtain an anonymous token automatically. 3) Note the skill may read local install paths or its own frontmatter to populate attribution headers — if you prefer no local file reads, avoid installing. 4) The SKILL.md contains a small metadata inconsistency (declared configPaths in frontmatter vs registry listing none) — not critical but worth noting. If any of the above is unacceptable (sensitive videos, unknown token scopes, or avoiding local filesystem reads), don't install or run this skill. Otherwise it is internally consistent with its declared purpose.

Review Dimensions

Purpose & Capability: okThe name/description (AI music for videos) aligns with the declared primary credential (NEMO_TOKEN) and the API endpoints referenced (nemovideo.ai). Required binaries are none and the declared env var is exactly what an API-backed service would need. One minor inconsistency: the registry metadata lists no required config paths, but the SKILL.md frontmatter declares a configPaths (~/.config/nemovideo/). This is a small mismatch but does not change the core purpose.
Instruction Scope: noteThe SKILL.md gives detailed runtime instructions that remain within the stated scope (create session, upload video, SSE chat, export/polling). It also instructs the agent to read the skill's YAML frontmatter at runtime and to detect install path patterns (e.g., ~/.clawhub, ~/.cursor/skills/) — this implies reading local files/paths which is plausible for header attribution but is a local-file access the user should be aware of. The skill also instructs automatic acquisition of an anonymous token if NEMO_TOKEN is missing (network call). All SSE and upload behavior is consistent with a cloud rendering workflow.
Install Mechanism: okNo install spec or code files are present; this is instruction-only so nothing additional is written to disk during installation. This is the lowest-risk install model.
Credentials: noteThe skill only requests a single credential (NEMO_TOKEN) which is proportionate to a cloud API integration. The SKILL.md also references a config path in its frontmatter (~/.config/nemovideo/), which the registry did not list — another small metadata mismatch. No unrelated secrets or broad environment access are requested.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request permanent/always-on presence or modifications to other skills. Autonomous invocation (model invocation enabled) is the platform default and is not an additional red flag here.