Skillv1.0.0

ClawScan security

Editor Inshot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 6:22 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code-free instructions and requested credential (NEMO_TOKEN) are coherent with a cloud video-editing service, but there are small metadata inconsistencies and privacy-relevant behaviors you should be aware of before installing.
Guidance: This skill looks like a legitimate cloud video editor: it asks for one service token (NEMO_TOKEN) and otherwise runs as an instruction-only skill that calls nemovideo.ai endpoints. Before installing: (1) Confirm you trust the nemo backend domain and are OK with the skill making outbound requests (it will fetch an anonymous token if you don't provide NEMO_TOKEN). (2) If you care about privacy, note the skill will send X-Skill-Platform and other attribution headers which are derived by checking a couple of common install paths and the skill's frontmatter; consider setting NEMO_TOKEN yourself rather than letting the skill auto-request an anonymous token. (3) Ask the publisher to clarify the registry/frontmatter mismatch about config paths (~/.config/nemovideo/) if you want to be strict about declared requirements. (4) Do not upload sensitive or private videos to the service unless you have verified its privacy/retention policies.

Review Dimensions

Purpose & Capability: okThe name/description (AI cloud video editor) aligns with the runtime instructions: session creation, upload, render/export endpoints, and requiring a service token (NEMO_TOKEN). Requiring a token and calling nemovideo.ai endpoints is proportionate to the stated purpose.
Instruction Scope: noteThe SKILL.md stays mostly within the editing scope (create session, upload media, SSE for edits, poll render status). It instructs the agent to read this file's YAML frontmatter and to detect install path (~/.clawhub/, ~/.cursor/skills/) to populate an X-Skill-Platform header; this involves peeking at a couple of filesystem locations (its own frontmatter and common install paths) which is reasonable for attribution but is a privacy-relevant action. It also automatically fetches an anonymous token from mega-api-prod.nemovideo.ai if NEMO_TOKEN is not present, which will produce outbound network activity and transmit a generated UUID as X-Client-Id.
Install Mechanism: okNo install spec and no code files — instruction-only. This is low-risk from a code-install perspective because nothing is downloaded or written by an install step.
Credentials: noteOnly NEMO_TOKEN is declared as required, which matches the service. The skill will also generate and send an anonymous token if NEMO_TOKEN is absent. One oddity: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) in metadata, but the registry metadata reported earlier listed no required config paths — this mismatch is inconsistent and worth verifying. The headers the skill requires (X-Skill-Source/Version/Platform) will leak minimal attribution/platform info to the remote service.
Persistence & Privilege: okThe skill is not marked always:true and has no install hooks. It does not request persistent system-level privileges; autonomous invocation is allowed (platform default) but is not combined with broad credential access or system changes.