Skillv1.0.0

ClawScan security

Video Editing For Beginners Youtube · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 11:27 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a cloud video-editing service (it needs a NEMO_TOKEN and uploads videos to a nemovideo.ai API), but there are small inconsistencies and a few instructions that imply local probing and external data exfiltration that you should understand before installing.
Guidance: This skill appears to be a thin client for a cloud video-rendering service: using it will upload your raw videos and related metadata to mega-api-prod.nemovideo.ai and require an API token (NEMO_TOKEN). Before installing, consider: (1) privacy — you will be transmitting potentially sensitive video/audio to a third party; (2) token handling — the skill can generate anonymous tokens for short-term use but may also use a long-lived NEMO_TOKEN if provided; (3) local probing — the skill asks for a header derived from detecting install paths (it may check common skill directories), which reveals some information about your environment; and (4) metadata mismatch — the SKILL.md lists a config path that the registry metadata does not, so confirm whether the skill will read or write ~/.config/nemovideo/ or other local files. If any of these are unacceptable (sensitive content, unclear token persistence, or unwanted local file access), do not install until the publisher clarifies these points and provides a privacy/security policy and a trusted homepage or source.

Review Dimensions

Purpose & Capability: noteName/description (cloud video editing) aligns with the runtime instructions to upload clips and call nemovideo.ai endpoints; requesting a single service token (NEMO_TOKEN) is expected. However, SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata above listed no required config paths — this mismatch should be clarified.
Instruction Scope: noteInstructions are explicit about uploading user video files, starting sessions, SSE streaming, polling renders, and including Authorization headers — all coherent for a remote render service. Two points to note: (1) headers include an X-Skill-Platform value 'detected from the install path' which implies the agent will probe filesystem locations (e.g., ~/.clawhub/, ~/.cursor/skills/) to derive a header; and (2) user video files and session metadata will be transmitted to an external domain (mega-api-prod.nemovideo.ai). Both behaviors are reasonable for this service but constitute data exposure and limited local probing.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written to disk by an installer step described in SKILL.md.
Credentials: noteOnly one credential is requested (NEMO_TOKEN) which is appropriate for a hosted API. The SKILL.md also documents how to obtain an anonymous token via an API call if NEMO_TOKEN is not present. The frontmatter's declaration of a config path (~/.config/nemovideo/) is not reflected in the registry metadata earlier; this inconsistency should be resolved. No unrelated credentials are requested.
Persistence & Privilege: okalways is false, and the skill does not request persistent system-wide privileges. It does imply maintaining session state with the remote API (session_id, render job ids) which is normal for this type of service.