Skillv1.0.0

ClawScan security

Editor Ai Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 10, 2026, 10:26 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a cloud video-editor (it uploads user videos to a remote API), but there are inconsistencies in its declared requirements and metadata plus privacy/exfiltration concerns because it sends user files to an unverified third-party endpoint and the package source is unknown.
Guidance: This skill will send whatever you upload (videos, audio, images) to https://mega-api-prod.nemovideo.ai for cloud processing — do not upload sensitive or private footage unless you trust that service. Note: the skill's registry metadata and its runtime instructions disagree (declared configPaths and the 'required' env var vs an anonymous-token fallback). The source and homepage are unknown, so you cannot easily verify the backend operator or data-retention / deletion policies. Before installing or using it: (1) avoid uploading confidential media, (2) prefer using a vendor you trust or ask the publisher for a privacy/terms link, (3) if providing a NEMO_TOKEN, ensure that token's scope is limited, and (4) request clarification about why the skill needs to detect install paths or read frontmatter. If you need stronger assurance, ask the publisher for source code or an official homepage and for a clear data-retention/privacy statement.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (cloud video editing) aligns with the instructions to create sessions, upload video files, render, and return download URLs. Requesting a NEMO_TOKEN for API access is expected. However, SKILL.md metadata declares a config path (~/.config/nemovideo/) that is not included in the top-level registry 'Required config paths', and the registry lists NEMO_TOKEN as required while the runtime instructions include an anonymous-token fallback — these mismatches are inconsistent.
Instruction Scope: concernThe instructions explicitly instruct the agent to upload user videos (multipart file uploads or URLs) and to poll and download render results from https://mega-api-prod.nemovideo.ai. Uploading potentially large, private media to a third-party server is intrinsic to the skill but is a high-privacy operation and should be highlighted to users. The doc also instructs reading the skill's YAML frontmatter and detecting install path to set attribution headers — reading install paths or files may require filesystem access that isn't necessary for basic editing and is an unexpected side action.
Install Mechanism: okNo install spec or code files — instruction-only skill. This minimizes on-disk install risk.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared, which is proportional for a cloud API. But SKILL.md permits generating an anonymous token if NEMO_TOKEN is absent. Declaring NEMO_TOKEN as 'required' while providing an anonymous fallback is inconsistent and may mislead users about whether a secret is strictly necessary. The metadata's hidden config path (~/.config/nemovideo/) is also inconsistent with the registry listing.
Persistence & Privilege: okalways:false and normal autonomous invocation are used. The skill doesn't request permanent platform-wide privileges. No evidence it modifies other skills or agent-wide config.