Skillv1.0.0

ClawScan security

Christmas Video Maker Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 9:04 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a remote video-rendering integration, but there are small metadata inconsistencies and you should be aware that your photos are uploaded to an external service and an ephemeral token may be created automatically.
Guidance: This skill appears to do what it says: upload photos to a remote service (mega-api-prod.nemovideo.ai) to produce videos and requires a NEMO_TOKEN. Before installing, consider: 1) Privacy — your images and audio will be uploaded to an external service; verify you trust the provider and check its retention/privacy policy. 2) Token behavior — if you don't provide NEMO_TOKEN, the skill will create an anonymous token and store it for session use (100 free credits, 7-day validity). 3) Metadata inconsistency — the skill’s frontmatter references a config path (~/.config/nemovideo/) though the registry metadata did not; ask the publisher to clarify whether the skill reads or writes that path. 4) Source trust — the skill's source/homepage is unknown; prefer skills from known publishers or inspect network endpoints before use. If any of these are unacceptable, do not install or provide credentials.

Review Dimensions

Purpose & Capability: okName, description, and runtime instructions all point to a cloud video rendering service (nemovideo API). Requesting a NEMO_TOKEN is proportional to this purpose. One inconsistency: the registry metadata listed no required config paths, but the skill frontmatter includes a configPaths entry (~/.config/nemovideo/). This discrepancy should be resolved.
Instruction Scope: noteSKILL.md limits actions to: checking NEMO_TOKEN, obtaining an anonymous token if absent, creating a session, uploading files, driving SSE and render endpoints, and polling for status. These are within the stated scope. Note: instructions require creating/storing a returned token/session_id and auto-detecting install/platform path for an attribution header — which may require access to agent runtime state/config and storing ephemeral secrets for the session.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. All network calls are to the nemovideo API; no archives or external installers are pulled.
Credentials: noteOnly NEMO_TOKEN is declared as required (primaryEnv). That matches the API usage. The skill will also generate an anonymous token if NEMO_TOKEN is missing; this behavior is explained but users should know a token will be created and persisted for session use. No other unrelated secrets are requested.
Persistence & Privilege: okalways:false and no system-wide changes are requested. The skill expects to hold a session_id / ephemeral token for the duration of operations, which is normal for a remote API client. It does not request elevated or cross-skill configuration changes.