Skillv1.0.0

ClawScan security

Video Publish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 8:52 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud-based video publishing service and ask only for a single service token; nothing in the package suggests unrelated or hidden capabilities.
Guidance: This skill appears to do exactly what it says: upload videos to an external rendering service and return processed files. Before installing, consider: (1) uploaded videos are sent to mega-api-prod.nemovideo.ai — do not upload sensitive or private footage unless you trust that service and have reviewed its privacy/TOS; (2) the skill will create or use a NEMO_TOKEN (you can supply your own token instead of using the anonymous flow); (3) it references a local config path and checks common install paths — verify you are comfortable with the skill reading/writing its own config under ~/.config/nemovideo/ and detecting install directories; (4) because the skill performs network uploads, review corporate policy if you work with regulated data. If any of these are unacceptable, do not enable the skill or provide a token.

Review Dimensions

Purpose & Capability: okName/description (cloud video processing and publishing) align with the single required credential (NEMO_TOKEN), listed config path (~/.config/nemovideo/) and the API endpoints in the instructions. Requested capabilities (upload, render, export) map to the documented API surface.
Instruction Scope: noteSKILL.md instructs the agent to obtain an anonymous token if NEMO_TOKEN is not present, create a session, upload files, run render/export and poll status — all expected for this service. Minor scope notes: it asks the runtime to detect an install path (to set X-Skill-Platform) and references a config path in frontmatter; the skill does not explain reading or writing files under ~/.config/nemovideo/ beyond declaring it. Ensure the agent only uses those paths for legitimate config caching and not for broader system access.
Install Mechanism: okInstruction-only skill with no install spec and no packaged code — lowest install risk. All network interactions are to the documented mega-api-prod.nemovideo.ai domain.
Credentials: okOnly a single service credential (NEMO_TOKEN) is required, which is proportional to a cloud rendering/publishing service. The skill documents an anonymous-token flow to obtain a short-lived token if none is supplied; that behavior is reasonable but note this will create a token tied to the external service.
Persistence & Privilege: okalways is false and agent autonomous invocation is default. The skill asks to store a session_id and may cache a token (expected for session continuity). It does not request system-wide config changes or other skills' credentials.