Skillv1.0.0

ClawScan security

Video Clip Maker Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 1:14 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a cloud video-processing service, but there are a few mismatches and missing provenance (unknown source/homepage, metadata vs registry inconsistency, and unclear token/session storage) that mean you should review before trusting it with your videos or credentials.
Guidance: Before installing or using this skill, consider the following: - The skill will upload your videos and related metadata to an external service at mega-api-prod.nemovideo.ai. If your footage contains sensitive or private content, do not upload it unless you trust that service and have reviewed its privacy/retention policy. - The skill auto-creates an anonymous NEMO_TOKEN if one is not provided. That token is a bearer credential valid for 7 days — ask where tokens and session IDs are stored (in memory vs written to disk) and how to revoke them. - The package has no source/homepage listed and the registry owner is unknown; lack of provenance increases risk. Prefer skills with a verifiable homepage or source repository. - There is a minor inconsistency: SKILL.md metadata references a config path (~/.config/nemovideo/) and the skill reads install paths/YAML frontmatter. Confirm what local files the skill will read and why. - If you decide to proceed: (a) use a throwaway/bound account or token, (b) avoid uploading sensitive material until you confirm retention policies, (c) monitor and revoke tokens after use, and (d) request the maintainer/source code or a privacy/terms link before wide adoption. If you want higher confidence, ask the publisher for source code or a homepage, and ask where tokens/session IDs are stored and how uploaded media are retained/deleted.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (AI video clip creation) aligns with the runtime instructions (uploading video, creating render jobs, returning download URLs). Requesting a single service token (NEMO_TOKEN) is appropriate. However, the metadata in SKILL.md lists a config path (~/.config/nemovideo/) and instructs reading install paths/YAML frontmatter, while the registry entry shows no required config paths — this inconsistency is unexplained but plausibly related to attribution; it should be clarified.
Instruction Scope: concernInstructions direct the agent to obtain or use a bearer token, create sessions, upload user video files (multipart upload or via URL), send/receive SSE streams, poll render endpoints, and include attribution headers. Those are expected for a cloud render service. Concerns: (1) the skill will upload user content to an external domain (mega-api-prod.nemovideo.ai) — privacy/PII risk; (2) it instructs automatically generating an anonymous token when NEMO_TOKEN is not present and persisting a session_id, but does not say where/how long tokens/session IDs are stored; (3) it instructs reading the skill's YAML frontmatter and probing install paths (~/.clawhub, ~/.cursor/skills/), which involves reading local filesystem state and may expose environment context.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files; nothing is written to disk or downloaded by the skill bundle itself, which is the lowest-risk install pattern.
Credentials: noteOnly one required environment variable (NEMO_TOKEN) is declared and is directly used for API authorization, which is appropriate. The SKILL.md metadata also references a config path (~/.config/nemovideo/) even though the registry lists none — that mismatch should be explained. The automatic anonymous-token flow will create a bearer token for the service; storing and refreshing that token could persist secrets if not handled carefully.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated agent-wide privileges. It does instruct the agent to store a session_id and reuse the token for subsequent API calls; this is typical for service integrations but you should confirm where/how long those values are persisted and whether they are written to disk.