Skillv1.0.0

ClawScan security

Ai Video Editor Job Posting · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 4:15 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill’s requirements and runtime instructions are consistent with its stated purpose (uploading job descriptions and calling a remote video-generation API using a single service token).
Guidance: This skill is coherent with its description: it uploads your job text/files to a third-party video-generation API (mega-api-prod.nemovideo.ai) and uses a single NEMO_TOKEN (or an anonymous token) for requests. Before installing: (1) only provide a NEMO_TOKEN from a provider you trust — it grants the skill permission to act on your behalf; (2) be aware that any files you upload (job descriptions, attachments, audio/video) are transmitted to and processed by the external service — avoid sending sensitive PII or proprietary material unless you accept the service's data-retention and privacy terms; (3) anonymous tokens are possible but still result in data leaving your environment; and (4) because this is an instruction-only skill there is no local code to inspect, so review the service’s privacy/terms and token handling before use. If you need more assurance, ask the publisher for a privacy/retention statement or a trusted, official API domain and token-issuance details.

Review Dimensions

Purpose & Capability: okThe name/description say it converts job postings into videos and the SKILL.md describes calling a remote 'nemovideo' API and uploading media — requiring a NEMO_TOKEN is coherent. The declared config path (~/.config/nemovideo/) and primaryEnv (NEMO_TOKEN) align with that purpose; there are no unrelated credentials or binaries requested.
Instruction Scope: noteInstructions stay within the video-generation domain: create a session, upload user files, stream SSE for generation, check credits/state, and start exports. Two operational notes: (1) the skill includes an anonymous-token fallback flow (it POSTs an anonymous-token and uses its token if no NEMO_TOKEN is provided), and (2) it asks the agent to set an X-Skill-Platform header by inspecting install paths (this implies the agent may look at its install environment). Both are reasonable for this service but mean user files and metadata will be sent to an external third-party API.
Install Mechanism: okNo install spec and no code files — instruction-only. That minimizes on-disk installation risk; nothing is downloaded or executed by the skill itself.
Credentials: okOnly one credential is requested (NEMO_TOKEN), which is the expected service token for a hosted video API. The SKILL.md also documents an anonymous-token fallback rather than requiring other secrets. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege: okalways:false and no requests to modify other skills or system-wide configs. The skill does not request permanent presence or elevated agent privileges beyond normal autonomous invocation behavior.