Skillv1.0.0

ClawScan security

Video Editing With Mac · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 9:01 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-based AI video-editing integration (it needs a single NEMO_TOKEN, uploads user videos, and talks to nemovideo.ai), with only minor metadata inconsistencies you should be aware of.
Guidance: This skill is coherent with a cloud video-editing service: it needs one token (NEMO_TOKEN) and will upload videos to mega-api-prod.nemovideo.ai for processing. Before installing or using it, consider: 1) Privacy: uploaded videos leave your machine — do not send sensitive footage unless you trust nemo's service and policies. 2) Token handling: if you don't supply NEMO_TOKEN the skill will obtain an anonymous token and store session IDs/tokens; supply your own token if you want control. 3) Metadata mismatch: the SKILL.md frontmatter references ~/.config/nemovideo/ while the registry lists no config paths — this is likely benign but worth double-checking. 4) Verify the API domain (mega-api-prod.nemovideo.ai) is the intended service. If any of these are unacceptable, do not install or provide files/credentials.

Review Dimensions

Purpose & Capability: okName/description promise (cloud video editing: upload, trim, render, download) aligns with the instructions and required credential (NEMO_TOKEN). The APIs, upload endpoints, and render/export flows match the stated purpose: nothing requests unrelated cloud credentials, system-level binaries, or unrelated services.
Instruction Scope: noteSKILL.md instructs the agent to check NEMO_TOKEN in the environment, create anonymous tokens if absent, create sessions, upload files (multipart or URLs), poll render status, and return download URLs. These actions are expected for a cloud-editing service, but the skill also asks the agent to auto-detect platform from its install path and references storing session_id and token values (with guidance to not display raw tokens). Be aware the agent will perform network calls and upload user-supplied video files to external servers; it may also read environment variables and installation paths for platform detection.
Install Mechanism: okInstruction-only skill with no install spec and no code files. That minimizes risk from arbitrary installers or downloaded executables.
Credentials: noteOnly a single credential is required (NEMO_TOKEN), which is appropriate for this purpose. The skill will generate and use an anonymous token if NEMO_TOKEN is not present. The frontmatter metadata also lists a config path (~/.config/nemovideo/) not declared elsewhere in the registry metadata — this mismatch is minor but worth noting.
Persistence & Privilege: okSkill is not always-enabled and does not request system-wide persistence or modify other skills. It does instruct storing a session_id and using tokens for API requests, which is normal for a networked service.