Skillv1.0.0

ClawScan security

Video Speed · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 6:37 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions broadly match a cloud video-processing purpose, but there are a few inconsistencies and privacy-relevant behaviors (automatic anonymous-token creation and remote uploads) that you should understand before installing.
Guidance: This skill appears to do exactly what it says (upload clips to a cloud service, request edits, and return rendered video), but it will send your video files to an external service (mega-api-prod.nemovideo.ai) and, if you don't provide NEMO_TOKEN, will automatically obtain an anonymous token on your behalf. Before installing: 1) Decide whether you trust nemovideo.ai to process and store your videos (privacy/legal implications). 2) If you need auditability, provide your own NEMO_TOKEN rather than letting the skill auto-create one. 3) Ask the author to clarify the config-path behavior (~/.config/nemovideo/) and whether any files will be stored locally. 4) If you want to avoid automatic network calls, ensure the skill is only invoked when you intend to upload. These clarifications would reduce the remaining uncertainties and could change the assessment to benign.

Review Dimensions

Purpose & Capability: noteName/description align with cloud video speed-adjustment and export functionality. Requested primary credential (NEMO_TOKEN) is consistent with a hosted rendering backend. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata stated no required config paths — this mismatch should be clarified.
Instruction Scope: noteInstructions are explicit about connecting to a third-party API, creating sessions, uploading user video files, using SSE for edits, and polling for render results — all expected for this purpose. They do not ask to read arbitrary local files beyond the uploaded clips and do not request additional environment variables. Important behavioral note: the skill will automatically obtain an anonymous token and begin communicating with the nemovideo.ai backend if NEMO_TOKEN is not present, and it instructs the agent to 'not display raw API responses or token values' to the user — this can obscure the token lifecycle and backend responses, which affects transparency and auditability.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install-risk class. Nothing is written to disk by an installer step in the package itself.
Credentials: concernOnly one env var (NEMO_TOKEN) is declared, which is proportionate for a remote-rendering API. But the skill will auto-generate an anonymous token via the backend if NEMO_TOKEN is absent; that behavior effectively gives the skill the ability to create and use credentials without explicit user-provided secrets. Also the frontmatter declares a config path (~/.config/nemovideo/) not listed in the registry metadata — unclear whether the skill will read or write that directory.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated agent-wide privileges. It asks to store a session_id for requests, which is standard. There is no instruction to modify other skills or global agent config.