Skillv1.0.0

ClawScan security

Best Video Editor For Ipad · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 16, 2026, 7:44 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent for a cloud-based video editing integration: it asks for one service token, uploads user media to the described API, and stores minimal session state — nothing in the package strongly contradicts its stated purpose.
Guidance: This skill sends any uploaded videos to an external service (mega-api-prod.nemovideo.ai) for cloud rendering and requires a NEMO_TOKEN to authenticate. Before installing, consider: (1) privacy — uploaded videos will leave your device, so review the service's terms and data retention policies; (2) credential scope — use a dedicated or ephemeral NEMO_TOKEN (the skill can obtain an anonymous short-lived token) rather than a token that gives broader access to your accounts; (3) filesystem access — the skill may read/write a small nemo config directory (~/.config/nemovideo/) and check common skill-install paths for attribution metadata; if you are uncomfortable with that, don't install or run it in a restricted environment; (4) if you need stronger assurance, ask the author for a privacy/security policy or a public API doc for the nemovideo endpoints before proceeding.

Purpose & Capability: okThe skill claims to perform cloud AI video editing and only requests a NEMO_TOKEN and a nemo-specific config path (~/.config/nemovideo/) which are proportionate for authenticating and persisting session state with that service.
Instruction Scope: noteInstructions direct the agent to upload user-provided media and manage sessions via the provider's API (endpoints, SSE handling, renders). They also instruct the agent to read the skill's YAML frontmatter for attribution and to detect common install paths (~/.clawhub, ~/.cursor/skills/) to set X-Skill-Platform; this filesystem inspection is limited but worth noting because it reads locations outside the skill file itself.
Install Mechanism: okNo install steps or third-party packages are declared (instruction-only skill), so nothing is downloaded or written by an installer.
Credentials: okOnly a single environment credential (NEMO_TOKEN) is required and is consistent with the documented API usage. The declared config path aligns with storing session/token data for the nemo service.
Persistence & Privilege: okThe skill is not flagged as always:true and does not request elevated platform privileges. Persisted state (session_id, possibly tokens) is reasonable for resuming render jobs and is scoped to the nemo config path.