Skillv1.0.0

ClawScan security

Video Editor Easy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 13, 2026, 12:41 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested token, config path, and runtime instructions align with a cloud video-editing service; it is internally consistent but will upload user video to an external API, so review before sending sensitive content.
Guidance: This skill will upload any videos you provide to https://mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (or will obtain a short-lived anonymous token). Before installing or using it: (1) Confirm you are comfortable sending your videos to that external service and review its privacy/TOS; avoid uploading sensitive or private recordings. (2) If NEMO_TOKEN is present in your environment, ensure it is the token you intend to use (store tokens securely). (3) The skill may read install path info to set attribution headers — no other system files are requested. (4) Because this is an instruction-only skill, no local binaries are installed. If you want extra assurance, ask the integrator for the service's privacy policy, endpoints, and whether uploads are retained/backed up or shared.
Findings: [no_code_files_scanned] expected: The regex scanner had no code files to analyze because this is an instruction-only skill (SKILL.md). The lack of findings does not imply safety; review the SKILL.md (which was done) because runtime behavior is defined there.

Purpose & Capability: okName/description, required NEMO_TOKEN, and config path (~/.config/nemovideo/) match a cloud video-editing backend. The declared primary credential (NEMO_TOKEN) and the API endpoints in the instructions are coherent with the stated purpose.
Instruction Scope: okSKILL.md strictly describes creating/using a session token, uploading video files or URLs, SSE streaming, polling render status, and exporting. All I/O is directed to the nemovideo API and user-supplied files; the instructions do not request unrelated system files or other credentials. It does instruct the agent to auto-detect platform/install path for an attribution header (minor scope expansion) but this is consistent with sending X-Skill-Platform.
Install Mechanism: okInstruction-only skill with no install spec or downloaded code; nothing is written to disk by an installer. This minimizes install-time risk.
Credentials: okOnly NEMO_TOKEN (primaryEnv) and an optional config path are required. The fallback anonymous-token flow is described in the docs (generates a short-lived token via the public API). No unrelated environment variables or extra credentials are requested.
Persistence & Privilege: okalways:false and normal agent invocation settings. The skill does not request permanent system-wide presence or modify other skills' configs; session tokens are transient and used only for interactions with the backend.