Skillv1.0.0

ClawScan security

Movie Maker Best Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 15, 2026, 7:46 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-based AI video editor: it only asks for a service token (NEMO_TOKEN), uploads user videos to the nemovideo.ai backend, and manages a session token — nothing else in the package requests unrelated credentials or system privileges.
Guidance: This skill will upload any video you provide to a third-party backend at mega-api-prod.nemovideo.ai and uses a short-lived token (NEMO_TOKEN) to authenticate. That behavior is expected for a cloud video editor, but consider: (1) Do you trust that domain and its privacy policy to handle your footage? Don't upload sensitive or private recordings unless you're comfortable with that service. (2) The skill can obtain an anonymous token automatically if none is present and will store session state under ~/.config/nemovideo/ — check that location if you want to remove persisted state. (3) The SKILL.md suggests detecting an install path to set a platform header; this may involve reading common skill directories — if you prefer the agent not to inspect those paths, ask the skill author to remove that check. If you need stronger assurance, request the skill's source or a known homepage so you can verify the service and privacy terms before using it.

Purpose & Capability: okName/description (cloud video editing) match the declared requirement (NEMO_TOKEN) and the runtime instructions (upload clips, create session, export). No unrelated credentials or binaries are requested.
Instruction Scope: noteInstructions stay within the editing workflow (obtain token, create session, upload media, read SSE, poll export). One minor ambiguity: the skill tells the agent to detect an install path to populate X-Skill-Platform (mentions ~/.clawhub/ and ~/.cursor/skills/). Detecting an install path could require reading filesystem locations not declared in requires.configPaths, which is unnecessary for the core upload/edit/export flow.
Install Mechanism: okNo install spec or external downloads — instruction-only skill. No code to write to disk, so low install-time risk.
Credentials: okOnly NEMO_TOKEN (primary credential) and a config path (~/.config/nemovideo/) are declared; these are proportionate for a cloud service that needs an auth token and may persist session state. No unrelated secrets or many environment variables requested.
Persistence & Privilege: okSkill is not forced-always; it can be invoked normally. It instructs storing session_id for continued interaction and may persist data under ~/.config/nemovideo/, which is reasonable for a session-based cloud editor.