Skillv1.0.0

ClawScan security

Ai Video Editor Gratis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 6:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely behaves like a cloud-based video editor (uploads footage and uses a backend token) but contains metadata/instruction mismatches and will send user files and tokens to an external service you don't control — verify the service before installing.
Guidance: This skill implements a cloud-based editor: it will upload whatever videos you provide and obtain/use a session token (NEMO_TOKEN) from https://mega-api-prod.nemovideo.ai. Two things stand out: (1) the registry metadata says NEMO_TOKEN is required, but the instructions will request an anonymous token if none is present — that discrepancy should be clarified by the publisher; (2) there is no homepage, publisher information, or privacy policy listed, so you cannot verify who will receive your media or how it will be stored. Before installing/use: confirm the service/domain is trustworthy, ask the publisher for a privacy policy and data retention rules, and avoid sending sensitive video content until you have that assurance. If you need to provide your own NEMO_TOKEN, treat it like any API credential and avoid reusing high-privilege keys. Additional publisher metadata (homepage, contact, or source code) would increase confidence.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (cloud AI video editing) matches the network calls and flows in SKILL.md: it uploads media, creates sessions, and exports rendered MP4s. However the registry metadata and SKILL.md disagree: the registry lists NEMO_TOKEN as a required env var but the runtime instructions include a flow to obtain an anonymous NEMO_TOKEN if not present. The SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) that the registry metadata did not. These mismatches reduce confidence in the declared requirements.
Instruction Scope: concernRuntime instructions tell the agent to POST user media and other requests to https://mega-api-prod.nemovideo.ai (auth, upload, SSE, render APIs). That is expected for a cloud editor, but it means user videos and derived metadata will be transmitted to a third-party domain. The skill also instructs creating an anonymous token and storing/using a session token, and derives header fields from local install paths (requires detecting install path), implying the agent may read local path information. There are no instructions to access unrelated system secrets, but sending user files and generating/storing tokens externally is high-impact and should be explicit and trusted.
Install Mechanism: okNo install spec or code files are present; this is instruction-only so nothing is written to disk by an installer. This is lower-risk from install-time code execution, but runtime network activity remains the primary surface.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared as primary and that maps to the backend auth described. However, the declared required env var (NEMO_TOKEN) conflicts with SKILL.md which implements an anonymous-token acquisition flow when NEMO_TOKEN is absent. The skill may therefore work without a pre-provided secret but will call the remote auth endpoint and use the returned token. The behavior is plausible for its purpose but the mismatch in declarations and the automatic token acquisition should be called out to users.
Persistence & Privilege: okThe skill does not request always:true or other elevated persistent privileges. It is user-invocable and allows model invocation (the platform default). Nothing in the SKILL.md tries to modify other skills or system-wide agent settings.