Skillv1.0.0

ClawScan security

Movie Maker Laptop Free Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 6:58 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a cloud video-editing tool (it only needs a NEMO_TOKEN and describes an upload/render API), but there are inconsistent metadata and instructions that ask the agent to probe filesystem/config paths and infer install locations — behaviors that don't clearly match the stated purpose.
Guidance: This skill appears to implement a cloud video-editing flow and needs a NEMO_TOKEN to call nemo-video APIs — that part is coherent. Before installing or using it, consider: 1) Confirm the backend domain (https://mega-api-prod.nemovideo.ai) is legitimate and review its privacy/security policy; 2) Ask the publisher to explain the mismatch between registry metadata (no config paths) and the SKILL.md metadata (~/.config/nemovideo/) and why the skill would need to read your config or detect install paths; 3) Avoid uploading sensitive or private footage until you trust the service; 4) If you must provide a token, prefer an anonymous/limited token and revoke it after testing; 5) Request the skill's source or an official homepage so you can verify implementation details. These inconsistencies don't prove malicious intent but do merit clarification before trusting the skill with files or credentials.

Review Dimensions

Purpose & Capability: noteName/description describe cloud AI video editing and the declared primary credential (NEMO_TOKEN) matches a backend service token. However the SKILL.md metadata lists a config path (~/.config/nemovideo/) that the registry metadata omitted, which is an inconsistency worth clarifying.
Instruction Scope: concernInstructions ask the agent to upload local files, create sessions, stream SSE, and download results — all expected for video editing. But the skill also instructs detection of install paths to set headers and references reading YAML frontmatter and a user config directory; that implies the agent may probe filesystem locations beyond explicit inputs, which is broader scope than a simple upload/edit flow.
Install Mechanism: okNo install spec and no code files (instruction-only) — lowest install risk. Nothing is downloaded or written to disk by an installer.
Credentials: noteOnly NEMO_TOKEN is required and is justified by the API. The SKILL.md also describes obtaining an anonymous token if none is present, which is reasonable. The presence of a configPaths entry in the SKILL.md metadata (but not in registry metadata) raises a proportionality question: why would the skill need access to ~/.config/nemovideo/?
Persistence & Privilege: okalways is false and the skill doesn't request persistent system-wide privileges. It does instruct opaque token management (generate/use anonymous token), but that is operational rather than privileged.