Skillv1.0.0

ClawScan security

Video Maker Italiano · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 7:29 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (cloud video creation) aligns with the API calls in the instructions, but there are inconsistencies around required environment/config declarations and a few instructions that ask the agent to access install/config paths and derive attribution headers — things the registry metadata doesn't declare; these mismatches warrant caution before installation.
Guidance: This skill mostly does what it says (uploads your media to a third‑party video rendering API and returns a download URL) but there are a few places to double-check before installing and using it: - Confirm the service identity and trustworthiness of mega-api-prod.nemovideo.ai (privacy, retention, and who can access uploaded files). - Decide whether you want to supply your own NEMO_TOKEN or let the skill obtain an anonymous token — the SKILL.md both requires and auto-creates the token, which is inconsistent. - Ask the publisher to clarify why the skill needs to detect install paths and whether it will read local config directories (the YAML references ~/.config/nemovideo/ and platform detection using ~/.clawhub/ or ~/.cursor/skills/). If you do not want local path checks, do not install/use the skill until clarified. - Because files are uploaded to an external service, do not send sensitive or private media unless you accept the external processing and storage policies. What would change this assessment: explicit publisher/source information or homepage, clear statement that the skill will not read local config files or will only read declared paths, and documentation from the backend service describing the anonymous-token flow and token lifetime/permissions. If those are provided and match the metadata, confidence could be raised to high and the verdict could become benign.

Review Dimensions

Purpose & Capability: noteThe skill claims to convert images + an MP3 to 1080p videos using a cloud backend; the SKILL.md describes endpoints for session creation, upload, render, credits and export, which are coherent with that purpose. Minor inconsistency: the registry summary shown to you lists no required config paths, but the skill's YAML frontmatter claims a config path (~/.config/nemovideo/). That difference should be clarified.
Instruction Scope: concernInstructions tell the agent to read NEMO_TOKEN from the environment but also to generate an anonymous token via a backend endpoint if none exists — conflicting with 'required env var' metadata. The skill also instructs the agent to derive an X-Skill-Platform header by inspecting install paths (e.g., ~/.clawhub/, ~/.cursor/skills/) which implies checking filesystem locations not declared in the registry metadata. All other runtime actions (uploading user files to mega-api-prod.nemovideo.ai, polling renders, streaming SSE) are within scope for cloud-based video creation.
Install Mechanism: okInstruction-only skill with no install spec or code files — lowest install risk. Nothing would be written to disk by an installer.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared as primary — reasonable for a third-party video API. However, the instructions both read that env var and create an anonymous token if absent, so requiring NEMO_TOKEN up front appears unnecessary or at least inconsistent. The frontmatter's configPaths entry (~/.config/nemovideo/) is not reflected in the registry's declared required config paths and may indicate undisclosed local config access.
Persistence & Privilege: okalways:false and no instructions to persist or modify other skills or system-wide settings. The skill stores session_id for the active session which is normal for short-lived operations; nothing claims permanent elevated privileges.