Skillv1.0.0

ClawScan security

Ai Video Editor Download Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 14, 2026, 5:07 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches an AI video-editing purpose but has mismatches (manifest vs SKILL.md), an unknown backend, and behavior that will upload your videos and create/store anonymous tokens — review before installing or sending sensitive content.
Guidance: This skill will upload your raw videos to an external service (mega-api-prod.nemovideo.ai) and will either use a NEMO_TOKEN you provide or create an anonymous token itself. Before installing or using it: 1) Verify the service/domain and privacy/terms (no homepage/source provided here). 2) Avoid uploading sensitive or private video content until you trust the backend. 3) Note the manifest/skill text mismatch (declared required config paths vs registry metadata and the env var being effectively optional); ask the publisher to clarify where tokens/config are stored. 4) Prefer supplying your own service token if you want explicit control, and confirm whether the skill persists tokens or writes to ~/.config/nemovideo/. 5) If you need higher assurance, ask for the source repository or an official homepage and a clear privacy policy before use.

Review Dimensions

Purpose & Capability: noteThe skill's name/description align with the API calls and upload/export functionality described. Requesting a NEMO_TOKEN is coherent for a video-processing cloud service. However the frontmatter in SKILL.md lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this inconsistency should be confirmed. Also the skill both declares NEMO_TOKEN as required yet documents a fallback that generates an anonymous token if none is present (so the env var is effectively optional).
Instruction Scope: noteThe SKILL.md explicitly instructs the agent to upload user video files, create sessions, poll render jobs, and include attribution headers — all expected for a cloud video editor. It does not request unrelated files or unrelated credentials. Important scope notes: it will perform network requests to an external domain (mega-api-prod.nemovideo.ai), will generate/store session tokens, and maps UI actions to API calls. The instructions do not appear to read unrelated system data, but they may require detecting an install path for X-Skill-Platform which could imply inspecting environment/install paths.
Install Mechanism: okThere is no install spec and no code files — this is instruction-only, so nothing is written to disk by an installer. That reduces installation risk. However the runtime behavior relies on an external backend (unknown origin) which is the primary operational risk rather than an installer.
Credentials: concernThe skill declares a single primary credential NEMO_TOKEN which fits the described API usage, but the SKILL.md also instructs creating an anonymous token by POSTing to the backend if NEMO_TOKEN is absent. This makes the declared 'required env var' effectively optional and is an important behavioral detail: the skill will reach out to an external service and obtain and use credentials on your behalf. The metadata/frontmatter also mentions a config path (~/.config/nemovideo/), which was not listed in the registry requirements — a mismatch that affects where tokens or config might be stored on disk. No other unrelated credentials are requested.
Persistence & Privilege: okThe skill is not 'always: true' and does not request elevated system privileges. It keeps an ephemeral session_id for operations and may store an anonymous token (7-day expiry) per its flow, but does not ask to modify other skills or system-wide settings in the provided instructions.