Skillv1.0.0

ClawScan security

Editor Kiss Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 6:47 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions generally match a cloud-based video-editing tool, but there are metadata inconsistencies and privacy/third‑party upload implications you should understand before installing.
Guidance: This skill appears to be a cloud-based video editor that will upload your videos to https://mega-api-prod.nemovideo.ai and use an Authorization token (NEMO_TOKEN) to process jobs. Before installing: 1) Accept that your media will be sent to a third-party server — don't upload sensitive private videos. 2) Confirm who runs mega-api-prod.nemovideo.ai and review their privacy/retention policy. 3) Ask the skill author to resolve metadata inconsistencies (declared config path vs. registry, supported formats/size limits). 4) Consider providing a limited/ephemeral token or using the anonymous token path (the skill can auto-create anonymous tokens) rather than a long-lived credential. 5) If you need stronger assurance, request a publisher homepage or source code — this skill has unknown origin. If you cannot verify the service and privacy policy, avoid installing or limit use to non-sensitive test videos.

Review Dimensions

Purpose & Capability: noteThe declared purpose (AI video editing / kiss transition effects) aligns with the API endpoints and upload/export flow in SKILL.md. However, the registry metadata lists no config paths while the SKILL.md frontmatter declares a config path (~/.config/nemovideo/). Supported formats/size are also inconsistent between the description (MP4/MOV/AVI/WebM up to 500MB) and the SKILL.md (additional formats listed, no explicit size limit). These inconsistencies are signs of sloppy packaging or partial edits and warrant clarification.
Instruction Scope: concernThe instructions direct the agent to obtain or use an Authorization token, create sessions, upload user files, stream SSE chat, poll job status, and include attribution headers. Uploading user media to a remote cloud service and sending sessions/tokens to external endpoints is core to the stated function but represents a clear privacy/data exfiltration surface — expected for a cloud editor, but the user must be aware. The SKILL.md also instructs the agent to create anonymous tokens automatically if no NEMO_TOKEN is present, which means the agent will contact the service automatically unless explicitly prevented.
Install Mechanism: okInstruction-only skill with no install spec or code files, so nothing is written to disk by an installer. This is the lowest install risk.
Credentials: noteOnly one required env var is declared (NEMO_TOKEN), which is proportionate to a cloud API. However the SKILL.md shows it can create an anonymous token itself, so requiring NEMO_TOKEN is optional in practice. The SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) that was not listed in the registry manifest—this mismatch should be resolved. No other unrelated secrets are requested.
Persistence & Privilege: okalways is false and the skill does not request elevated or cross-skill config changes. It can be invoked autonomously by the agent (normal), but there is no evidence it attempts to persist beyond normal session/state operations with the backend.