Skillv1.0.0

ClawScan security

Ai Video Editor App Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 11:16 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video editing) matches most of its runtime instructions, but there are inconsistencies (declared config paths vs registry metadata) and clear privacy/safety implications (automatic token creation and uploading user videos to an external service) that you should understand before installing.
Guidance: This skill will upload any video you send to a third-party service (mega-api-prod.nemovideo.ai) and will automatically obtain and use an anonymous bearer token if you don't supply NEMO_TOKEN. Before installing or using it: (1) confirm you trust that external service and its privacy/retention policy for your videos; (2) prefer supplying an ephemeral or dedicated token rather than a credential used elsewhere; (3) ask the publisher to explain the apparent mismatch about required config paths (~/.config/nemovideo/ listed in the skill but not in registry metadata) and why the skill probes install paths in your home directory; (4) avoid sending sensitive footage until you're satisfied with those answers. If you cannot verify the service owner or privacy terms, treat this skill with caution.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform cloud video editing and asks only for a single API token (NEMO_TOKEN) which is appropriate for that purpose. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that the registry metadata did not declare; this mismatch is unexplained and could indicate either sloppy metadata or an unadvertised need to access user config files.
Instruction Scope: concernThe instructions tell the agent to (a) check the environment for NEMO_TOKEN or else acquire an anonymous token by POSTing to a remote endpoint, (b) maintain session_id for subsequent calls, (c) upload user video files (either by file path or URL) to the remote API, and (d) inspect installation paths (~/.clawhub/, ~/.cursor/skills/) to set an attribution header. Uploading user media to a third-party endpoint and probing home-directory paths are significant actions that go beyond simple local editing helpers and should be explicit to the user. The SKILL.md also instructs reading its own YAML frontmatter and detecting install paths — these imply filesystem reads that are not declared elsewhere.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing will be downloaded or written to disk by an install step. That lowers supply-chain risk compared to installers or external archives.
Credentials: noteThe single required env var NEMO_TOKEN is proportionate to a cloud service integration. However, the SKILL.md frontmatter also declares a configPaths value (~/.config/nemovideo/) while the registry metadata lists no required config paths — an inconsistency. The skill also instructs creating and using anonymous tokens automatically, which is functional but means the agent will call remote auth endpoints and hold bearer tokens in memory; users should confirm they are comfortable with that token being used for uploads.
Persistence & Privilege: okThe skill is not marked always:true and does not request privileged persistent presence. It does instruct the agent to hold session_id for the duration of a session, but it does not mandate writing tokens or sessions to disk. Autonomous invocation is allowed by default and is not in itself a problem here.