Skillv1.0.0

ClawScan security

Video Maker Youtube · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 5:50 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video editing) matches most of its instructions and its single required secret (NEMO_TOKEN), but there are small inconsistencies and clear privacy implications (user videos are sent to an external API) that you should understand before installing.
Guidance: This skill will upload your video files and metadata to an external service (mega-api-prod.nemovideo.ai) and use either a provided NEMO_TOKEN or an anonymously obtained token — do not use it with sensitive or private footage unless you trust the service and its terms. Ask the publisher to explain the config-path discrepancy (~/.config/nemovideo/ present in SKILL.md but not in registry metadata) and to confirm what data is stored or logged by their backend. Because the skill has no install step it won’t write code to disk, but network transmission of your files is intrinsic to its function — consider creating/revoking a limited-scope token for testing, review the service's privacy/retention policies, and avoid using global/high-privilege credentials.

Review Dimensions

Purpose & Capability: noteThe name/description (YouTube-ready video creation) aligns with requiring a backend API token (NEMO_TOKEN) and with instructions to upload files and request renders. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata says no required config paths — this mismatch is unexplained and should be clarified.
Instruction Scope: noteThe runtime instructions are concrete and stay within video-editing scope: create/refresh sessions, upload video files (multipart or via URL), send SSE edit commands, poll render status, and download results. Important privacy/behavior notes: user video files and metadata are uploaded to https://mega-api-prod.nemovideo.ai and tokens (either provided NEMO_TOKEN or an anonymously fetched token) are used for authorization. There's also an ambiguous instruction to 'auto-detect' install path for X-Skill-Platform which may not be applicable for instruction-only skills.
Install Mechanism: okNo install spec and no code files — lowest-risk delivery model (instruction-only). Nothing is written to disk by an installer.
Credentials: noteOnly one credential is required (NEMO_TOKEN), which is proportionate for an API-backed service. The skill will also create an anonymous token if NEMO_TOKEN is absent (via a public anonymous-token endpoint). The earlier-mentioned config path in SKILL.md introduces an inconsistency with registry metadata and could imply the skill expects local config files; this is not justified elsewhere.
Persistence & Privilege: okThe skill does not request always:true, contains no install hooks, and does not indicate modifying other skills or system-wide settings. It operates via ephemeral session tokens for cloud renders.