Back to skill
Skillv1.0.0
ClawScan security
And Analyze Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 4:18 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a remote video-analysis service: it needs a single service token (NEMO_TOKEN), uploads user video files to a remote API, and performs session/upload/render workflows described in the SKILL.md.
- Guidance
- This skill appears coherent for a remote video-analysis service, but before installing: (1) confirm you trust the external host (mega-api-prod.nemovideo.ai) because your video files and session data will be uploaded there; (2) only provide an API token (NEMO_TOKEN) that is appropriate for this use — do not put unrelated secrets in that environment variable; (3) clarify the config-path discrepancy: the SKILL.md mentions ~/.config/nemovideo/ but the registry metadata does not — ask the author whether the skill will read local config files (that could contain tokens); (4) expect network activity and token requests to happen transparently to the system but not always shown to the user (the SKILL.md asks to hide technical details); and (5) if you need higher assurance, request the publisher's privacy/security policy and retest with non-sensitive sample videos first.
Review Dimensions
- Purpose & Capability
- okThe skill is a remote video analysis/export helper. Requesting a single API token (NEMO_TOKEN) and describing endpoints for session creation, upload, SSE, and render/export is proportionate to that purpose. Nothing else (e.g., unrelated cloud credentials or binaries) is requested.
- Instruction Scope
- noteThe SKILL.md instructs the agent to upload user-provided video files, create sessions, use server-sent events, poll render status, and re-acquire anonymous tokens when needed. Those actions are appropriate for the declared goal, but the instructions also say to 'keep the technical details out of the chat' — meaning network activity and token acquisition may happen without verbose user-visible traces. This is operationally normal but reduces transparency; users should understand files and metadata will be sent to the described API host (mega-api-prod.nemovideo.ai).
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. That is the lowest-risk install model.
- Credentials
- noteThe only declared credential is NEMO_TOKEN (primaryEnv), which is proportional for a hosted video-analysis API. The skill will also generate an anonymous token if NEMO_TOKEN is missing. One inconsistency: the SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) but the registry metadata lists no required config paths. If the agent actually reads that path it could access stored tokens or configs; the registry metadata and instructions disagree, so confirm whether the skill will read local config files.
- Persistence & Privilege
- okalways:false and no install hooks are present. The skill does not request permanent platform-wide privileges. It performs network calls and uploads during operation but does not request to modify other skills or persist elevated privileges.