Skillv1.0.0

ClawScan security

Video Letter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 2:32 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly match a cloud video-rendering purpose, but there are small inconsistencies and scope-creep (metadata mismatch, implicit filesystem/agent-path probing, and unclear token/session persistence) that you should understand before installing.
Guidance: This skill appears to do what it says (cloud video editing) and only needs a single API token, but there are a few things to confirm before installing or enabling it: 1) Ask the publisher to clarify the mismatch between registry metadata (no config paths) and the SKILL.md frontmatter (~/.config/nemovideo/) — confirm whether the skill will read or write local files and why. 2) Confirm where generated anonymous NEMO_TOKEN and session_id values are stored, who can read them, and how long they persist; avoid installing unless storage and retention are acceptable. 3) Because the skill will upload your video files to mega-api-prod.nemovideo.ai, verify the privacy/retention policy for uploaded media. 4) The SKILL.md asks not to display raw tokens — that's reasonable for secrecy, but makes it important you know where tokens are stored and can be revoked. 5) If you do not trust nemovideo.ai or cannot get answers to the above, do not enable the skill; otherwise proceed with caution and monitor for unexpected file access (install-path probing) or network requests outside the documented API domain.
Findings: [no_code_files_or_regex_findings] expected: This is an instruction-only skill; the scanner had no code to analyze. That's expected, but it means the SKILL.md instructions are the full security surface and should be examined carefully.

Review Dimensions

Purpose & Capability: noteThe skill is a cloud-based video-editing front end and requests a single credential NEMO_TOKEN which aligns with calling a nemo video API. However, the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) while the registry metadata listed no required config paths — this mismatch should be clarified (does the skill need local config access?). Overall the requested credential and endpoints are coherent with the stated purpose.
Instruction Scope: concernInstructions direct the agent to obtain an anonymous token automatically if NEMO_TOKEN is absent, create and persist a session_id, and call a set of backend endpoints for upload/rendering. The SKILL.md also requires generating attribution headers and 'auto-detecting' the install platform from the install path, which implies the agent may need to inspect installation paths or environment metadata. The skill also instructs not to display raw API responses or token values to the user — this is unusual (it hides token values) and should be documented where the token/session are stored and who can access them. All network calls are limited to the nemovideo API domain; there are no other external endpoints in the instructions.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest risk from installation. Nothing is being downloaded or written by an installer step described in the registry.
Credentials: noteOnly a single credential (NEMO_TOKEN) is required which is proportional to a backend API-driven renderer. The frontmatter mention of a config path (~/.config/nemovideo/) is not declared in the registry requirements and should be clarified (why and how is that path used?). The skill's ability to generate an anonymous token itself reduces the need for pre-provisioned credentials, but you should confirm where that token and session data are stored and for how long.
Persistence & Privilege: okalways=false and autonomous invocation is the platform default. The skill does request creation/storage of a session_id and use of a token, but it does not ask for system-wide or other-skills' configuration changes. No elevated persistent privilege is requested in the registry.