Back to skill
Skillv1.0.0
ClawScan security
Generator Meta Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 4:58 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are consistent with a cloud video metadata/rendering service: it only needs a service token, routes uploads and commands to the provider's API, and has no installable code or unrelated credential demands.
- Guidance
- This skill sends your uploaded videos and commands to the external domain mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (or will fetch an anonymous token). That is expected for a cloud rendering/metadata service, but be aware: (1) any sensitive content you upload will be transmitted to and processed by that third party, (2) the skill may persist session tokens (frontmatter references ~/.config/nemovideo/ though SKILL.md is vague about where it saves them), and (3) there is no local install so no local code is executed, but network exfiltration of uploaded media is intrinsic to the service. Only install/use this skill if you trust the service and are comfortable uploading the media; if unsure, avoid providing a long-lived NEMO_TOKEN and prefer the anonymous flow or test with non-sensitive clips. If you later want to revoke access, rotate/revoke the token with the service.
Review Dimensions
- Purpose & Capability
- okName/description (generate AI metadata and render/download videos) match the declared requirement for a single service credential (NEMO_TOKEN) and use of the provider's rendering endpoints. There are no unrelated env vars or binaries requested.
- Instruction Scope
- noteSKILL.md instructs the agent to use NEMO_TOKEN (or obtain an anonymous token by POSTing a generated UUID) and to create/save a session_id, then upload video content and drive the provider's API (SSE, upload, export). This stays within the stated purpose, but the instructions are permissive about uploading user videos to an external domain and are vague about where session tokens/session_id should be saved (frontmatter lists a config path but SKILL.md doesn't say to read/write it explicitly).
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer. Low install risk.
- Credentials
- noteOnly one credential (NEMO_TOKEN) is required, which is proportional to a cloud API. The skill will also POST to an anonymous-token endpoint to obtain ephemeral credentials if none are present. Users should note that providing the token (or using the anonymous token flow) grants the service access to uploaded media and render jobs.
- Persistence & Privilege
- okalways is false and the skill does not request system-level privileges. It does instruct saving session identifiers/tokens (normal for API clients) but does not request modification of other skills or global agent settings.