Skillv1.0.0

ClawScan security

Ai Video Editor Baby Dance · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 5:29 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches an AI cloud-video-editor but contains internal inconsistencies (required NEMO_TOKEN vs auto-provisioning, declared config path not used) and will upload user videos to an external API — review origin and data/privacy implications before installing.
Guidance: This skill appears to do what it says (upload your video to a cloud backend for editing), but there are a few red flags to consider before installing: - Data/privacy: Using the skill will upload your raw video clips to https://mega-api-prod.nemovideo.ai. Only proceed if you are comfortable sending those files to that service. Test with non-sensitive clips first. - Token inconsistency: The registry declares NEMO_TOKEN as required but the instructions also auto-generate an anonymous token if it is missing. Ask the publisher which behavior is intended and whether any obtained tokens are persisted on disk or in agent state. - Unused configPath: Metadata lists ~/.config/nemovideo/ but SKILL.md never reads it. Ask why that path is declared and whether the skill will read local configuration files. - Provenance: There is no homepage or known source for this skill. If possible, request publisher contact, privacy policy, or a public project repo to verify the backend is legitimate. If you still want to try it: run with a throwaway/non-sensitive video first, do not provide any private tokens you aren't willing to expose to the remote service, and ask the skill author to clarify the NEMO_TOKEN/configPath behavior and token storage/retention policy.

Review Dimensions

Purpose & Capability: noteName and description claim a cloud video editor and the SKILL.md contains API endpoints and upload/export flows that match that purpose. However, metadata declares a required env var (NEMO_TOKEN) and a config path (~/.config/nemovideo/) while the runtime instructions describe auto-provisioning a token if none is present and never instruct reading the declared config path — this mismatch is incoherent and should be clarified.
Instruction Scope: noteInstructions stay within the stated task (creating sessions, upload, SSE streaming, export polling) and explicitly instruct uploading user video files to a remote service. This is expected for a cloud video editor, but it is important to note the skill will send potentially sensitive user media off-device to an external API (mega-api-prod.nemovideo.ai). The SKILL.md also asks to auto-detect install platform from an install path (implies reading runtime/install path), which is a minor scope extension but not obviously malicious.
Install Mechanism: okNo install spec or code files are present (instruction-only). Nothing is written to disk by an installer in the bundle — lower install risk. Runtime network calls are required but are described in the instructions.
Credentials: concernOnly one credential is declared (NEMO_TOKEN), which fits a cloud API. However, requires.env lists NEMO_TOKEN as required while the SKILL.md also instructs obtaining an anonymous token via the API if the env var is absent — inconsistent. Metadata additionally declares a config path (~/.config/nemovideo/) but instructions never reference reading it. These mismatches raise questions about what secrets/config the skill actually needs and whether it will read local config files.
Persistence & Privilege: okNo 'always' privilege; the skill is user-invocable and can run autonomously (platform default). There is no install-time code that claims to modify other skills or system-wide settings in the SKILL.md. The only persistence implied is use of a session token for API operations (normal for this purpose).