Skillv1.0.0

ClawScan security

Add Music To Video Free Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 9, 2026, 6:25 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions largely match a cloud video-processing tool; nothing obvious is asking for unrelated credentials or system-wide access, but there are a few minor inconsistencies you should understand before installing.
Guidance: This skill behaves like a cloud-backed video-processing integrator and is internally coherent, but take these precautions before use: 1) Only upload media you are comfortable sending to an external service — videos may contain private data. 2) Prefer the anonymous-token flow rather than pasting a long-lived NEMO_TOKEN into the environment; if you must use a token, treat it as sensitive. 3) Note the metadata requests a config path (~/.config/nemovideo/) and the skill may detect install path to set headers — if you are uncomfortable with any code reading your home-directory config, do not install or run it in an environment with sensitive files. 4) Verify the API domain (mega-api-prod.nemovideo.ai) and, if possible, review the remote service's privacy/terms. If you want higher assurance, ask the publisher for source code or run the skill in a sandboxed agent.

Purpose & Capability: noteName/description (cloud video music overlay) match the declared primary credential (NEMO_TOKEN) and the API endpoints in SKILL.md. Minor inconsistency: metadata lists a config path (~/.config/nemovideo/) and the skill asks the agent to detect an install path for header construction — neither is necessary to perform simple uploads/exports and could require reading filesystem state.
Instruction Scope: okSKILL.md contains concrete API calls (auth, session creation, SSE, upload, render/poll, credits). All referenced actions are relevant to adding music and exporting video. The instructions do not ask the agent to scan arbitrary files or exfiltrate unrelated environment variables. The only expanded scope is the install-path detection used to set an attribution header.
Install Mechanism: okInstruction-only skill with no install steps or remote downloads. Lowest-risk category: nothing is written to disk by an installer.
Credentials: okOnly a single service credential (NEMO_TOKEN) is declared as required. The skill also documents an anonymous-token flow (POST to /api/auth/anonymous-token) if NEMO_TOKEN is not present, which reduces the need to provide a long-lived secret. No other unrelated tokens or secrets are requested.
Persistence & Privilege: okalways:false and no special persistent privileges requested. The skill does not ask to modify other skills or system-wide settings.