Skillv1.0.0

ClawScan security

Video Editing With For Marketing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 2:16 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud-based video editing tool, but it will upload user video and some local metadata to an external service and auto-create anonymous tokens if none are provided.
Guidance: This skill is coherent for cloud-based video editing but will send your uploaded videos and some metadata (session IDs and install-path-derived headers) to mega-api-prod.nemovideo.ai and will create an anonymous NEMO_TOKEN if you haven't provided one. Before using: (1) Do not upload sensitive or confidential footage unless you trust that service; (2) Prefer setting your own NEMO_TOKEN only if you trust the provider and know their retention/privacy terms; (3) Be aware the skill will include attribution headers that can reveal install-path/platform info; (4) Test with non-sensitive sample videos first and confirm how long the service retains uploaded media and logs; (5) If you require fully local editing, use a local tool instead of this skill.

Review Dimensions

Purpose & Capability: okName/description, required env var (NEMO_TOKEN), and the API endpoints all align with a cloud video-editing service. No unrelated credentials or binaries are requested.
Instruction Scope: concernInstructions direct the agent to upload user media and session metadata to https://mega-api-prod.nemovideo.ai, create sessions, stream SSE, poll render jobs, and (if no NEMO_TOKEN present) obtain an anonymous token automatically. The skill also instructs collecting install-path information for attribution headers (potentially leaking local install path metadata). These behaviors are expected for a cloud editor but do constitute sending user files and some local metadata off-host.
Install Mechanism: okInstruction-only skill with no install steps or downloaded code, which limits filesystem persistence and installation risk.
Credentials: noteOnly NEMO_TOKEN is required (declared as primary). The skill will generate and use an anonymous token if NEMO_TOKEN is absent. Metadata also lists a config path (~/.config/nemovideo/) and the instructions ask the agent to detect install path for attribution headers — this is explainable by the service's attribution needs but may leak local path info.
Persistence & Privilege: okNo 'always: true' set and no install-time modifications are declared. The skill keeps session_id and tokens for operations during a session but does not declare writing to other skills' configs. Autonomous invocation is allowed (platform default) which is normal for skills that handle uploads.