Skillv1.0.0

ClawScan security

Showcase Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 17, 2026, 4:31 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud video-processing service: it needs a NEMO_TOKEN and uploads user video to the nemovideo.ai endpoints — nothing appears disproportionate or unrelated to its stated purpose.
Guidance: This skill appears to do what it says: it uploads your clips to a nemovideo.ai backend for cloud editing and returns a download link. Before installing or using it, consider: (1) Privacy: you will be uploading video/audio files to a third-party domain — do not upload sensitive footage you wouldn't want shared. (2) Token safety: provide a throwaway/anonymous token where possible (the skill can request an anonymous token), and avoid pasting a long-lived production API key unless you trust the service. (3) Persistence: ask the skill author whether session_id or tokens are persisted to ~/.config/nemovideo/ (or anywhere else) and how long they are kept. (4) Domain verification: if you require assurance, verify the service domain (mega-api-prod.nemovideo.ai) and its privacy/terms. (5) Registry mismatch: the SKILL.md lists a config path but the registry metadata did not — confirm this inconsistency with the publisher before granting any credentials.

Review Dimensions

Purpose & Capability: noteThe skill claims to be a cloud video highlight/export tool and only requests a single credential (NEMO_TOKEN), which is appropriate. Note: the SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) used for storage, but the registry metadata shown earlier listed no required config paths — this mismatch in declarations is an incoherence worth confirming with the author.
Instruction Scope: okInstructions stay within the video-processing domain: creating or obtaining a token, creating a session, uploading video files (up to 500MB), handling SSE for edits, polling export status, and returning a download URL. The skill explicitly instructs not to print tokens or raw JSON. It does request deriving an X-Skill-Platform header by detecting common install paths, which is a small local-info read for attribution headers and not necessary for core functionality but not unexpected.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer — lowest-risk install footprint.
Credentials: okOnly NEMO_TOKEN is required (declared as the primary credential). That aligns with a service that needs an API token for uploads and renders. Be aware that the token grants the ability to create render jobs and consume credits — treat it as sensitive.
Persistence & Privilege: notealways:false and no special privileges are requested. However, the SKILL.md mentions saving session_id and references a config path (~/.config/nemovideo/) where the skill may persist state; the registry summary earlier showed no required config paths — confirm whether and where the skill will store session state or tokens, and whether it writes to that config path.