Skillv1.0.0

ClawScan security

Viral Title Generator Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 12:46 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based video/title-generation service, but there are small metadata inconsistencies and privacy implications (you will upload videos and a token is sent to a remote API) you should be comfortable with before installing.
Guidance: This skill appears to do what it claims: it will upload your video files to a remote service (mega-api-prod.nemovideo.ai) and use a NEMO_TOKEN (or obtain an anonymous token) to create sessions, run SSE, and return rendered MP4s. Before you install/use it: 1) Confirm you are comfortable uploading the videos (don’t send sensitive or private footage). 2) Verify the backend domain and review its privacy/retention policy if possible. 3) Note the SKILL.md may probe install paths (~/.clawhub, ~/.cursor, and references a ~/.config/nemovideo/) to set a header — if you want to avoid environment disclosure run the skill in a restricted environment or ask the publisher to remove that behavior. 4) Use an anonymous token or ephemeral environment if you prefer not to provide a persistent NEMO_TOKEN. 5) Ask the publisher to resolve the metadata mismatch (registry says no config paths but the skill frontmatter lists one) for clarity.

Review Dimensions

Purpose & Capability: okName/description (generate viral titles and cloud video processing) match the runtime instructions: the SKILL.md describes creating sessions, uploading video, requesting renders, and returning download URLs from a single backend (mega-api-prod.nemovideo.ai). Requiring a NEMO_TOKEN (or obtaining an anonymous one) is consistent with a hosted service.
Instruction Scope: noteInstructions routinely perform network calls to the declared backend, upload user video files, create sessions, stream SSE messages, and poll render state — all consistent with the described cloud workflow. The doc also says to detect X-Skill-Platform from install paths (e.g. checking ~/.clawhub/ or ~/.cursor/skills/), which implies reading parts of the user's home/install path to set a header; that's not strictly necessary for title generation and will disclose some environment details to the backend.
Install Mechanism: okNo install spec and no code files — instruction-only skill — so nothing is written to disk by an installer. This minimizes install-time risk.
Credentials: noteThe only declared credential is NEMO_TOKEN and the SKILL.md documents a reasonable anonymous-token fallback flow. That is proportionate. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch is an incoherence to verify. Also the skill will send the token and other headers to the remote API, so the token grants access to the user's session on that service.
Persistence & Privilege: okalways:false and no instructions to modify other skills or system-wide settings. Model invocation is allowed (default) which is normal for skills. The skill does not request permanent presence or elevated privileges.