Back to skill
Skillv1.0.0
ClawScan security
Video Clip Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 26, 2026, 12:56 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's behavior (uploading user video files to a remote API and creating/using session tokens) is coherent with its stated purpose, but there are small inconsistencies and privacy/transparency concerns you should understand before installing.
- Guidance
- This skill will send any video you upload and session tokens to a third‑party API (mega-api-prod.nemovideo.ai) for server-side editing — that is how it works but it has privacy implications. Before installing or using it, confirm: (1) you trust the Nemo service and its privacy/retention policy (will uploads be stored/retained?), (2) you are comfortable with the skill creating/using anonymous tokens (it may persist them under ~/.config/nemovideo/ per the SKILL.md metadata), (3) you do not expose a more privileged token in NEMO_TOKEN (use an ephemeral or least-privilege token), and (4) you are okay with the agent reading the skill install path or config location to populate headers. Also note the skill instructs the agent to hide technical details from users — if you need auditability or transparency of network activity, ask the owner for a privacy/security statement or avoid using the skill. Finally, clarify the metadata inconsistency around config paths with the publisher if you require stronger guarantees.
Review Dimensions
- Purpose & Capability
- noteThe name/description (remote video clip editing) matches the actions described (upload, SSE-based editing, render/export). Requiring a single API token (NEMO_TOKEN) is appropriate. However, metadata in the SKILL.md references a config path (~/.config/nemovideo/) while registry metadata lists no required config paths — this mismatch should be clarified.
- Instruction Scope
- concernRuntime instructions direct the agent to upload user-provided video files to an external service (mega-api-prod.nemovideo.ai), create anonymous tokens when none are present, open sessions, stream SSE, poll renders, and include attribution headers. Those actions are expected for a cloud-based editor, but the instructions also explicitly tell the agent to 'keep the technical details out of the chat' (reduces transparency) and to detect an install path to set a header (requires reading local paths). The skill will therefore read an env var, potentially read local install/config paths, and transmit user files and session tokens to a third-party API — a notable privacy/network activity that users should be aware of.
- Install Mechanism
- okInstruction-only skill with no install spec and no bundled code — nothing is written to disk by an installer. This is the lowest install risk.
- Credentials
- noteOnly one environment variable (NEMO_TOKEN) is required, which is appropriate for an API-backed service. The SKILL.md describes creating and using an anonymous token if none exists, so the agent may create and use credentials at runtime. The SKILL.md metadata references a config path (~/.config/nemovideo/) that could be used to persist tokens; the registry listing omitted required config paths — this inconsistency should be clarified. No other unrelated credentials are requested.
- Persistence & Privilege
- okThe skill does not request always:true and doesn't modify other skills. It can be invoked autonomously (platform default), which combined with network access increases blast radius but is not unusual for a networked skill.