Back to skill
Skillv1.0.0
ClawScan security
Free Generation Editor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 3:16 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are coherent with a cloud-based AI video editor: it needs one API token (NEMO_TOKEN), uploads user media to nemovideo.ai, and uses that service's endpoints — nothing in the manifest asks for unrelated secrets or installs extraneous components.
- Guidance
- This skill will upload any media you give it to a third‑party backend (mega-api-prod.nemovideo.ai). Before installing or using it: 1) Confirm you trust that service and its privacy/retention policies for uploaded video/audio (don't upload sensitive material you wouldn't share with an online editor). 2) Be aware the skill uses NEMO_TOKEN (or will request a short-lived anonymous token) to authenticate — treat that token like any API secret. 3) The skill may read its own frontmatter or detect its install path for attribution headers — this is minor but worth knowing if you expect no filesystem access. 4) If you need stronger guarantees, contact the service owner, review their docs/privacy, or avoid giving real credentials and rely on ephemeral/anonymous tokens instead.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the SKILL.md documents endpoints, upload, session creation, SSE streaming, and render/export calls to a single backend (mega-api-prod.nemovideo.ai). The single required env var (NEMO_TOKEN) is appropriate for a hosted API.
- Instruction Scope
- noteInstructions direct the agent to upload user video/audio/image files and stream SSE responses from the remote API — this is expected for a cloud editor. The only minor scope creep: the skill instructs detecting an 'install path' (to set X-Skill-Platform), which implies reading its install path/frontmatter at runtime; this is limited and plausibly needed for attribution but does require reading local skill metadata/files.
- Install Mechanism
- okInstruction-only skill with no install step or code files; nothing is downloaded or written to disk by an installer. Lowest-risk install profile.
- Credentials
- okOnly NEMO_TOKEN is declared as required and used for Bearer authorization. The SKILL.md provides an anonymous-token fallback when NEMO_TOKEN is absent — this behavior is consistent with the service's API and does not request unrelated credentials or secrets.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated platform privileges. It does not attempt to modify other skills or system-wide settings; autonomous invocation is allowed by default but not excessive here.