Skillv1.0.0

ClawScan security

Youtube Ai Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 5:46 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (remote AI video editing) but contains small metadata/instruction inconsistencies and will upload your raw video to an external backend and auto-provision tokens — verify the remote service before use.
Guidance: This skill appears to do what it claims: send your footage to a remote service (mega-api-prod.nemovideo.ai) for server-side editing and return a downloadable MP4. Before installing or using it, consider: 1) Privacy: your raw video will be uploaded to a third party — do not send sensitive content unless you trust the provider and reviewed its privacy/retention policy. 2) Token handling: the skill can auto-acquire an anonymous token; if you prefer explicit control, set your own NEMO_TOKEN and verify where it came from. 3) Metadata mismatch: the skill frontmatter references a local config path (~/.config/nemovideo/) that the registry did not list — ask the publisher whether the skill will read files from that location. 4) Verify the backend domain and the publisher (no homepage provided). If you need higher confidence, request the skill's source or an official homepage/privacy policy and confirm the service provider identity and data handling practices before uploading content.

Review Dimensions

Purpose & Capability: noteThe skill's name and runtime instructions match a remote AI video-editing service. Declaring NEMO_TOKEN as the primary credential is coherent. However, the SKILL.md frontmatter requests a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch should be clarified.
Instruction Scope: noteRuntime instructions confine actions to uploading media, creating sessions, streaming SSE, and starting renders on mega-api-prod.nemovideo.ai — all consistent with the stated purpose. The skill also describes auto-acquiring an anonymous token by POSTing to the provider and generating a UUID client id. This auto-provision behavior is expected but worth noting because it allows the skill to operate without a pre-set NEMO_TOKEN. The instructions require adding attribution headers and auto-detecting an install path value for X-Skill-Platform, which may leak local install path information depending on implementation.
Install Mechanism: okNo install spec or code files are present (instruction-only), which minimizes on-disk risk. All operations are HTTP API calls to the remote backend.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared, which is proportional for a hosted API. However, SKILL.md also documents an anonymous-token acquisition flow (POST to /api/auth/anonymous-token) if NEMO_TOKEN is absent — meaning the skill can obtain and use a token without user-supplied secrets. The presence of a config path in the frontmatter suggests the code may also look for local stored credentials; this was not declared in the registry metadata and should be clarified.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and has no install-time persistence. Autonomous invocation is allowed (the platform default) and does not by itself raise concern here.