Skillv1.0.0

ClawScan security

Vizard Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 12:11 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared requirements and runtime instructions are coherent with a cloud video-processing integration (nemovideo.ai); it asks only for a single API token and provides concrete API workflows for uploading, session management, SSE, and exporting.
Guidance: This skill appears to be what it says: it uploads videos to nemovideo.ai and uses a NEMO_TOKEN to create sessions, stream SSE messages, and fetch rendered MP4s. Before installing, consider: (1) privacy — your videos and any transcripts will be sent to an external cloud service (mega-api-prod.nemovideo.ai); do not upload confidential content unless you accept that. (2) Token handling — the skill will generate an anonymous NEMO_TOKEN for you if you don't provide one; that token carries limited credits and a 7-day validity. If you prefer control, supply your own NEMO_TOKEN rather than letting the skill auto-create one. (3) Persistence/transparency — the SKILL.md instructs storing session_id and hiding raw token values from users; ask where (ephemeral memory vs disk) session/token data are stored and how long they are retained. (4) Review nemovideo.ai's privacy/terms if you care about retention, attribution headers, or shared anonymous credentials. If you are comfortable with those points, the skill's requirements and instructions are proportionate to its stated purpose.

Review Dimensions

Purpose & Capability: okName/description (clip-and-caption videos) match the required credential (NEMO_TOKEN), declared config path (~/.config/nemovideo/) and the SKILL.md which documents calls to a nemovideo.ai API for uploads, rendering, and exports. Nothing in the metadata or instructions requests unrelated cloud credentials or unrelated binaries.
Instruction Scope: noteSKILL.md contains detailed API call flows (anonymous-token, session creation, upload, SSE, render/polling) and explicit guidance for handling files and responses. This stays within the advertised purpose. Two points to note: (1) the skill auto-acquires an anonymous token if NEMO_TOKEN is not set and instructs to "store" session_id — the storage location/retention is unspecified; (2) it reads the skill frontmatter and attempts to detect install path to set attribution headers, which implies reading some local paths. Both behaviors are explainable for this use case but introduce minor transparency and state-persistence questions.
Install Mechanism: okInstruction-only skill with no install spec or code files. No downloads, no package installs, and thus minimal install-time risk.
Credentials: noteOnly a single credential (NEMO_TOKEN) is required and is clearly the primary credential for the external API — proportionate to the task. The skill will optionally generate an anonymous NEMO_TOKEN on first-run if the env var is not present; this behavior is reasonable but means the agent may obtain and use credentials on behalf of the user (transparency and token lifetime/usage should be considered).
Persistence & Privilege: okNo always:true flag, no system-wide configuration changes documented, and no attempt to modify other skills or broad agent settings. The skill asks to store session_id for continuity between requests (expected for session-based APIs).