Skillv1.0.0

ClawScan security

Video Maker Canva · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 13, 2026, 12:39 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: This instruction-only skill is generally coherent with its stated purpose (upload images to a cloud video service using a NEMO_TOKEN) but has a small metadata inconsistency and some privacy/persistence implications you should be aware of before use.
Guidance: This skill will send any images, clips, and a logo you drop into the chat to an external service (mega-api-prod.nemovideo.ai) for cloud rendering and will use a NEMO_TOKEN authorization token. Before installing or using it, consider: 1) Privacy: do not upload sensitive images or confidential material unless you trust that service and have reviewed its privacy/retention policy. 2) Tokens & persistence: the skill will look for NEMO_TOKEN and will automatically request an anonymous token if none exists; the SKILL.md also references ~/.config/nemovideo/ (the registry listing omitted this) — ask whether tokens or session state will be saved on disk. 3) Attribution headers: the skill requires adding specific X-Skill-* headers to requests; check that these behaviors are acceptable for your environment. 4) No installer means low technical risk, but you should still verify the third-party service (nemovideo.ai) before sending data. If you need higher assurance, request clarification from the skill author about config file usage and token storage policies.

Purpose & Capability: okName/description, required NEMO_TOKEN, and the documented API endpoints (nemovideo.ai) align with a cloud-based video rendering service. Requiring a single service token is proportionate to the stated purpose.
Instruction Scope: noteRuntime instructions are focused on session creation, SSE-based editing, file upload, and export workflows — all expected for a cloud video service. They explicitly upload user files to the external API and instruct how to poll render status. This is in-scope but has privacy implications (your images/logo are sent to a third party).
Install Mechanism: okNo install spec or code files are present (instruction-only), so nothing will be written to disk or downloaded by an installer — lowest install risk.
Credentials: noteThe single required env var (NEMO_TOKEN) is appropriate. The instructions also describe auto-requesting an anonymous token if none is present (POST to the service), which is reasonable but means the skill can create/use short-lived credentials automatically.
Persistence & Privilege: noteRegistry metadata initially listed no config paths, but the SKILL.md frontmatter references ~/.config/nemovideo/. That suggests the skill may read or write persistent config (e.g., storing tokens) even though the registry metadata did not declare it. The skill does not set always:true and is user-invocable.