Skillv1.0.0

ClawScan security

Italiano Photo Video Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 12:40 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud photo-to-video service (it needs a NEMO_TOKEN or can obtain an anonymous token and uploads user media to nemovideo.ai), but there are small metadata/instruction mismatches you should be aware of before use.
Guidance: This skill will upload any photos/videos you provide to mega-api-prod.nemovideo.ai and needs a NEMO_TOKEN (or will obtain a temporary anonymous token). Confirm you trust that external service before sending sensitive images. Note the SKILL.md includes a config-path declaration (~/.config/nemovideo/) even though the registry metadata didn't — ask the publisher which is correct. If you supply a permanent NEMO_TOKEN, ensure it has only the scopes you intend; otherwise, use the anonymous flow for limited, short-lived access. Finally, because this is instruction-only, runtime behavior depends on the agent making the described API calls — review network/privacy policies for the platform if you need stronger guarantees.

Review Dimensions

Purpose & Capability: noteThe skill name/description match its behavior: it uploads images/video and requests a NEMO_TOKEN to call nemovideo.ai endpoints. One inconsistency: registry metadata listed no config paths, but the SKILL.md frontmatter declares a config path (~/.config/nemovideo/). Reading a service config directory is plausible for a client but the registry/manifest disagreement is worth verifying.
Instruction Scope: noteSKILL.md gives explicit step-by-step API flows (session creation, SSE for chat, upload, export/poll), which are appropriate for a cloud render service. It also instructs the agent to: read this file's YAML frontmatter at runtime and detect install path to set an X-Skill-Platform header — these require access to the agent's environment/paths but are limited in scope. No instructions ask the agent to read unrelated system files or arbitrary environment variables.
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal on-disk installation risk.
Credentials: okOnly NEMO_TOKEN is declared as required and used as a Bearer token for the service. The skill includes a documented anonymous-token fallback flow so it can operate without a pre-provisioned token. No unrelated credentials are requested.
Persistence & Privilege: okalways:false and no instructions to modify other skills or system-wide settings. The skill will perform network requests and upload user media to the nemovideo.ai backend (expected for this purpose).