Skillv1.0.0

ClawScan security

Video Maker Free App Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 14, 2026, 4:41 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match a cloud video-editing service, but there are inconsistencies and modest privacy/leakage risks (unknown source, metadata mismatch, and headers that may reveal local install paths) that you should consider before using it or uploading sensitive videos.
Guidance: This skill appears to perform cloud-based video editing as described, but proceed carefully: (1) The skill will upload whatever video files you send to a third-party domain (mega-api-prod.nemovideo.ai) — do not upload sensitive or private footage unless you trust that service. (2) The skill asks for or will create a NEMO_TOKEN; if you prefer, avoid pre-setting a long-lived credential and rely on the anonymous token flow, or run in an isolated environment. (3) The SKILL.md requests adding headers derived from local install paths which can leak runtime/install information — consider asking the publisher or removing that header behavior. (4) The package source and homepage are unknown; if you need stronger assurance, verify the domain/service out-of-band (official website, documentation, or reputation) before installing or uploading data. (5) The metadata inconsistency (declared vs. SKILL.md config paths) should be clarified by the author; if uncertain, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: noteThe name and description (cloud AI video editing/export) align with the runtime instructions (upload, session creation, render/export endpoints). Requesting a single NEMO_TOKEN credential is proportional for a remote service. However the skill's declared registry metadata omitted a config path that appears in the SKILL.md frontmatter (SKILL.md lists ~/.config/nemovideo/), which is an inconsistency.
Instruction Scope: concernThe SKILL.md instructs the agent to check for NEMO_TOKEN, otherwise obtain an anonymous token by POSTing to https://mega-api-prod.nemovideo.ai and treat that token as NEMO_TOKEN. It then uploads user video files and polls for render results — these network calls are expected for the stated purpose. Concern: the skill requires adding attribution headers that include a platform value derived from local install path detection (~/.clawhub, ~/.cursor/skills/). That behavior can leak local runtime/install-path information to the remote service and is not necessary for basic video upload/processing.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself. This is the lowest-risk install mechanism.
Credentials: noteOnly NEMO_TOKEN is declared as required, which fits a cloud API. The SKILL.md also describes generating an anonymous token if none is present (100 free credits, 7-day expiry), which reduces the need for a long-lived secret. The SKILL.md frontmatter references a config path (~/.config/nemovideo/) even though registry metadata lists no required config paths—this mismatch should be clarified. No other unrelated secrets are requested.
Persistence & Privilege: okalways is false and model invocation is allowed (the platform default). The skill does not request persistent system-wide privileges or configuration changes in the instructions.