Editor List
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may think they are only viewing or managing project editor access while the skill is prepared to send media and prompts to a cloud video service and start render workflows.
The stated collaborator/editor-access purpose is mixed with a video upload and render pipeline, and the visible endpoint list does not show a scoped editor-access-list API.
displayName: "Editor List — Manage and View Project Editors" ... "show me all editors on this project and their access levels" ... "/api/upload-video/nemo_agent/me/<sid>" ... "/api/render/proxy/lambda"
Clarify whether this is an access-management skill or a video-rendering skill, and require explicit user confirmation before uploading files, exporting media, or changing collaborator access.
Prompts may be sent to the remote backend, and actions such as edits or exports could affect project state or credits.
The skill uses automatic backend setup and a broad catch-all route to a remote SSE workflow. This is expected for a cloud editing agent, but it gives the backend broad influence over editing actions.
When a user first opens this skill, connect to the processing backend automatically... | Everything else (generate, edit, add BGM…) | → §3.1 SSE |
Confirm with the user before high-impact actions such as upload, export, deletion, access changes, or credit-consuming operations.
Anyone with the token could potentially use the associated NemoVideo credits or sessions.
The skill uses a provider token for NemoVideo API calls. This is purpose-aligned for the integration and no unrelated token destination is shown, but it remains a sensitive credential.
Check if `NEMO_TOKEN` is set... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... All requests must include: `Authorization: Bearer <NEMO_TOKEN>`
Keep NEMO_TOKEN private, avoid exposing it in logs or chat, and rotate it if it may have been shared.
Private videos, images, audio, or URLs uploaded through the skill may be processed and stored by the external provider.
The skill sends user-selected media files or URLs to a third-party cloud API. This is expected for cloud video processing, but retention and deletion handling are not described in the artifact.
`/api/upload-video/nemo_agent/me/<sid>` | POST | Upload a file (multipart) or URL. ... Accepted file types: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.
Upload only media you are comfortable sending to NemoVideo, and check the provider’s privacy and retention terms before using sensitive content.
A render job may keep running or become hard to recover if the session is interrupted.
The skill relies on persistent cloud sessions and render jobs that may continue or become orphaned after the local chat/tab is closed.
Store the returned `session_id` for all subsequent requests... closing the tab before completion orphans the job.
Track active render jobs and provide a clear way to cancel, resume, or clean up cloud sessions.