Back to skill
Skillv1.0.0
ClawScan security
One Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 4:45 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are generally coherent with a cloud video-editing integration (it needs a NEMO_TOKEN to call nemo's API and uploads user video to that service), though there are small metadata/instruction inconsistencies you should be aware of before installing.
- Guidance
- This skill appears to do what it says: it uploads a single video to nemo's cloud service and returns an edited MP4. Before installing or enabling it, consider: 1) You will need to provide a NEMO_TOKEN (or the skill will request an anonymous token and upload your file to https://mega-api-prod.nemovideo.ai) — do not share sensitive footage unless you trust that service and have reviewed its privacy/retention policy. 2) The SKILL.md asks the agent to read the skill file's YAML frontmatter and detect install paths and a local config directory (~/.config/nemovideo/) — ask the author why local filesystem access is needed and whether anything will be written there. 3) No code is installed locally (instruction-only), but network exfiltration risk exists because user video and metadata are sent to a third-party API; confirm the endpoint and provider authenticity. 4) If you need higher assurance, request the skill author provide a homepage or source repo, or test the skill in an isolated/low-privilege environment first. The registry scanner had no code to analyze, so there are no regex findings to comment on.
Review Dimensions
- Purpose & Capability
- noteThe skill claims to edit a single video via a remote service and only requests a single API credential (NEMO_TOKEN), which aligns with that purpose. The SKILL.md also references a local config path (~/.config/nemovideo/) in its metadata — it's plausible this is for caching tokens, but the registry metadata earlier listed no required config paths, creating a small inconsistency to verify.
- Instruction Scope
- noteRuntime instructions are focused on creating a session, uploading a file, running edits, and polling for a rendered download URL — all within the stated purpose. However, the skill instructs the agent to read this skill file's YAML frontmatter and to detect install paths (e.g., ~/.clawhub/, ~/.cursor/skills/) for attribution headers; those filesystem reads are not strictly necessary for basic editing and broaden the scope somewhat. The skill also implements a fallback to obtain an anonymous token from nemo's API if no NEMO_TOKEN is present.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes on-disk risk because nothing is downloaded or executed by the installer.
- Credentials
- noteOnly a single credential (NEMO_TOKEN) is declared as required and is consistent with calling nemo's API. The SKILL.md, however, references reading a local config path and checking install locations; that local access is not declared in registry metadata and should be justified if the skill will read or write files there.
- Persistence & Privilege
- okalways:false and no install behavior means the skill does not request permanent elevated presence. It does require the agent be allowed to make outbound requests to the nemo API (normal for a remote-editor skill).