Skillv1.0.0

ClawScan security

Video Maker For Free Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 4:46 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code-free instructions, required credential (NEMO_TOKEN), and API usage align with a cloud video-rendering service; no signs of obvious misdirection or excessive permissions, though it will send user media to a third-party API and a small metadata inconsistency exists.
Guidance: This skill appears coherent for its stated purpose, but it will upload whatever media the user supplies to a third-party API (mega-api-prod.nemovideo.ai) and may generate/obtain an anonymous token if no NEMO_TOKEN is supplied. Before installing or using it: (1) confirm you trust that remote service and are comfortable with your media and any metadata being transmitted and stored there; (2) avoid uploading sensitive content (private documents, PII, proprietary images) unless you’ve verified the service’s privacy terms; (3) be aware the skill may read some local agent/installation context to set headers (the SKILL.md lists a config path in its metadata) — if you want to be cautious, run it in a restricted environment or supply an explicit NEMO_TOKEN; (4) the skill’s registry/metadata had a small mismatch about config paths — consider asking the author for clarification or checking logs to see what local paths it actually reads.

Review Dimensions

Purpose & Capability: okThe skill claims to create/export videos and its instructions exclusively describe calls to a video-rendering backend (session creation, upload, render, download). Requesting a single NEMO_TOKEN credential is proportionate to that purpose. Note: SKILL.md includes a configPaths entry (~/.config/nemovideo/) in its YAML metadata while the registry metadata lists no required config paths — a minor inconsistency in declared metadata.
Instruction Scope: noteRuntime instructions stay within the stated video-creation flow (create session, upload files, run SSE, export). The skill will generate an anonymous token if no NEMO_TOKEN is present and will upload user media to https://mega-api-prod.nemovideo.ai. It also instructs deriving an attribution header value from the agent install path (reading install path to infer X-Skill-Platform), which is reasonable but means the skill reads some environment/installation context beyond just the provided token.
Install Mechanism: okThere is no install spec and no code files; this is instruction-only so nothing is downloaded or written to disk by the skill itself. That minimizes install-time risk.
Credentials: noteOnly one credential (NEMO_TOKEN) is required and justified by the API calls. The SKILL.md also documents creating an anonymous token if NEMO_TOKEN is missing, which reduces the need for long-lived secrets but means the agent will call an auth endpoint automatically. The YAML metadata's configPaths field (~/.config/nemovideo/) is declared in the skill file but not in registry metadata — if the skill reads that path at runtime it could access local config, so verify whether your agent will expose those files.
Persistence & Privilege: okalways is false and the skill is user-invocable; disable-model-invocation is false (normal). The skill does not request permanent system-level presence or to modify other skills. Note that autonomous invocation is allowed by default on the platform — combined with network access this means the skill can contact the remote API when invoked.