Skillv1.0.0

ClawScan security

Video Editing Ai Open Source · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 4:33 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions largely match its stated purpose (cloud video editing), but it sends user videos to an external API and has a small metadata/config-path inconsistency you should be aware of before installing.
Guidance: This skill behaves like a cloud video editor: it will upload your videos and metadata to mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (it can generate a short-lived anonymous token if none is provided). Before installing, consider: (1) Do you trust the nemovideo domain and its privacy policy for handling your footage? (2) If you store a permanent NEMO_TOKEN in the environment, treat it like a secret. (3) The SKILL.md mentions a local config path (~/.config/nemovideo/) that isn’t declared elsewhere — check whether the skill will read that path and what it might contain. (4) If your content is sensitive, prefer a local editing workflow or confirm the provider’s retention and access policies. If you want more assurance, ask the skill author for a privacy policy or a link to the service homepage and for clarification about the config-path behavior.

Review Dimensions

Purpose & Capability: okName/description = AI video editing. The only required credential is NEMO_TOKEN (primaryEnv) for a remote video-processing API — this is proportionate to a cloud editing service.
Instruction Scope: noteRuntime instructions make the agent create/use a session, upload user video files, stream edits via SSE, and poll for render results on https://mega-api-prod.nemovideo.ai. That behavior is expected for a cloud editor, but it implies user media and metadata are transmitted to a third-party service; the SKILL.md explicitly instructs to persist session_id and include Authorization headers. The doc tells the agent not to print tokens/JSON, which is good, but there is no explicit user-facing consent step for generating the anonymous token if NEMO_TOKEN is missing.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk install model.
Credentials: noteOnly NEMO_TOKEN is required, which is appropriate. However the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch could indicate the agent may look for local stored credentials or config files. Confirm whether the skill will attempt to read that path before installing.
Persistence & Privilege: okalways:false and default invocation settings. The skill asks the agent to store session_id for job tracking (normal) but does not request persistent installation or system-wide changes.