Skillv1.0.0

ClawScan security

Nano Banana Editing Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 2:16 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly coherent for a cloud-based video-editing integration, but there are mismatches in declared config requirements and it will automatically connect and upload user video to an external, unverified API — so double-check before installing or sending private videos.
Guidance: This skill appears to be a cloud-based video editor that will upload videos and use a NEMO_TOKEN to call an external API (mega-api-prod.nemovideo.ai). Before installing or using it: 1) confirm you trust the external service and its privacy policy because your video files and session tokens will be transmitted and possibly stored there; 2) resolve the metadata inconsistency (SKILL.md mentions ~/.config/nemovideo/ but registry metadata said none) — understand whether tokens or files will be written to your home directory; 3) be aware the skill will attempt to auto-connect and can generate anonymous tokens (it will make network calls if NEMO_TOKEN is not set); and 4) if you need stronger guarantees, ask the publisher for a privacy/data-retention statement or point the skill at a vetted endpoint before sending private content. If you don’t trust the unknown host, do not upload sensitive videos.

Review Dimensions

Purpose & Capability: noteName/description describe cloud video editing and the skill asks only for a NEMO_TOKEN credential which is appropriate. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata earlier listed no required config paths — this inconsistency should be resolved.
Instruction Scope: concernRuntime instructions will POST video files and session data to an external API (mega-api-prod.nemovideo.ai) and instruct automatic initial connection/anonymous token generation on first interaction. This means user video and session tokens will be transmitted to a third party — expected for a cloud editor but a privacy/consent concern. The SKILL.md also references filesystem upload syntax (multipart @/path) which implies reading local files; clarify how file uploads are handled by the host agent.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is written to disk by an installer.
Credentials: noteOnly a single credential (NEMO_TOKEN) is required which matches the described API usage. SKILL.md also mentions saving session_id and possibly using ~/.config/nemovideo/ — the declared config path (in SKILL.md) should be consistent with registry metadata and justified (e.g., token persistence).
Persistence & Privilege: okalways is false and the skill doesn't request elevated or always-on privileges. It does instruct saving session tokens and possibly using a config path for persistence, which is reasonable for a session-based integration.