Skillv1.0.0

ClawScan security

Highlight Editor Youtube · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 11, 2026, 7:56 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly behaves like a cloud-based YouTube highlight service, but there are internal inconsistencies about credentials and config paths and it will automatically obtain and store anonymous tokens and upload user videos to an external API — you should review provenance and privacy before using it.
Guidance: This skill will send your videos to a third‑party service (mega-api-prod.nemovideo.ai) and can automatically mint and store an anonymous token if you don't supply one. Before installing or using: (1) confirm who operates nemovideo.ai and review their privacy/retention policy for uploaded media; (2) prefer providing your own NEMO_TOKEN if you want control over credentials; (3) avoid uploading sensitive or private videos until you verify data handling; (4) ask the publisher why the registry metadata differs from SKILL.md (config path vs none, and 'required' env var vs anonymous-token flow). These inconsistencies are the reason this skill is flagged as suspicious.

Review Dimensions

Purpose & Capability: noteThe declared purpose (extract highlights from YouTube videos) matches the API endpoints described (upload, render, export) and the single required credential (NEMO_TOKEN) is consistent with a 3rd‑party rendering backend. However, metadata/instruction inconsistencies exist: the registry lists no config paths but the SKILL.md frontmatter requires ~/.config/nemovideo/, and while NEMO_TOKEN is declared required the SKILL.md provides an anonymous-token flow that obtains a token automatically if NEMO_TOKEN is unset — that mismatch reduces transparency.
Instruction Scope: concernThe runtime instructions direct the agent to obtain/store tokens, create sessions, upload user video files or URLs, poll render status, and include attribution headers derived by probing install path. Uploading user media to https://mega-api-prod.nemovideo.ai is outside the user's machine and requires explicit user consent; the skill also reads the agent install path to set X-Skill-Platform, which is a cross-cutting system probe not strictly required for video editing. The SKILL.md instructs suppressing raw token display and storing tokens, but gives no storage location or retention policy.
Install Mechanism: okThis is instruction-only with no install spec or additional binaries — lowest install risk. Nothing written to disk by an installer is declared.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared, which is proportionate for a hosted rendering API. But the SKILL.md auto-generates an anonymous token when the env var is absent; that behavior contradicts the registry's 'required env var' declaration and means the skill will operate without an explicit user-provided credential. The frontmatter also mentions a config path (~/.config/nemovideo/) not present in registry metadata — unclear why that path is required or read.
Persistence & Privilege: okThe skill is not always-enabled and does not request system-wide privileges. It does instruct creating/storing session tokens and job IDs for its own operation, which is normal for a cloud service integration and not inherently privileged.