Back to skill
Skillv1.0.0
ClawScan security
Free Music · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 28, 2026, 1:21 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's behavior mostly matches its stated purpose (adding music to videos) but contains a few inconsistencies and minor scope-creep (metadata vs. registry mismatch, instructions that require reading installer paths and implicit filesystem access) that warrant caution before installing.
- Guidance
- This skill appears to do what it says — it uploads user video files to an external service (mega-api-prod.nemovideo.ai) to add royalty-free music and returns a downloadable file. Before installing, consider: 1) Privacy and data residency — your videos are uploaded to a third-party cloud; check the service's privacy/retention policy and whether you’re comfortable with that. 2) Token handling — the skill will create and persist an anonymous NEMO_TOKEN if none is provided; you can avoid automatic token creation by pre-providing your own token or declining the skill. 3) Metadata mismatch — the SKILL.md mentions a config path (~/.config/nemovideo/) but the registry metadata lists no required config paths; ask the author which is correct and what (if any) local files will be read. 4) Attribution headers and install-path detection require the agent to inspect its runtime/install path; confirm you’re comfortable with the agent reading that path. If you need higher assurance, ask the publisher for a homepage, privacy policy, and proof of ownership of the mega-api-prod.nemovideo.ai domain before using the skill.
Review Dimensions
- Purpose & Capability
- okThe name/description (add background music to videos) aligns with the actions the SKILL.md instructs (upload video, call a cloud render API, return download URL). Requesting a single service token (NEMO_TOKEN) is appropriate for a cloud rendering service.
- Instruction Scope
- noteMost instructions stay within the stated purpose (session creation, SSE messaging, upload, export, polling). Minor scope items: the skill asks the agent to detect installation path to populate X-Skill-Platform (requires inspecting agent filesystem/runtime path) and to store session_id between requests; it also explicitly instructs not to show raw API responses or tokens to users, which is plausible for UX but reduces transparency. These are not clearly malicious but broaden the agent's actions beyond simple API calls.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill — so nothing is written to disk by an installer. This is the lowest-risk install pattern.
- Credentials
- concernThe skill declares a single primary env var (NEMO_TOKEN), which is reasonable. However, the YAML frontmatter in SKILL.md includes a configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths — this inconsistency may indicate a hidden expectation to read that config directory (potentially to find tokens or configs). The skill also advises auto-generating and storing anonymous tokens, which means credentials will be created and persisted by the agent if NEMO_TOKEN is absent.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated platform privileges. Storing a session_id and re-using the NEMO_TOKEN for the session is normal for a service client. It does not request modifying other skills or global agent settings in the instructions.