Back to skill
Skillv1.0.0
ClawScan security
Video Editing With Ai Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 1:54 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requested token and API calls directly match a cloud video-editing workflow, but a few minor metadata inconsistencies and the fact that it uploads user videos to an external service mean you should review privacy and trust of the backend before use.
- Guidance
- This skill appears to do what it says: it uploads your videos to mega-api-prod.nemovideo.ai for cloud editing and returns rendered MP4s. Before installing or using it, consider: 1) Privacy/Compliance — your raw footage (possibly sensitive) will be sent to an external service; confirm you trust the domain and its terms/privacy policy. 2) Token management — NEMO_TOKEN grants access to the service; if you let the skill auto-generate a token, understand it is valid for 7 days and tied to the anonymous client ID. 3) Metadata mismatch — the SKILL.md references a local config path (~/.config/nemovideo/) while the registry shows none; ask the publisher which is accurate. 4) Confirm the backend domain (mega-api-prod.nemovideo.ai) is legitimate for your organization before sending confidential content. If you need stronger assurance, request the skill's source/homepage or run uploads through a vetted proxy/account you control.
- Findings
[no-code-files-to-scan] expected: The regex scanner had no code files to analyze (SKILL.md only). This is expected for an instruction-only skill; absence of findings is not a guarantee of safety.
Review Dimensions
- Purpose & Capability
- okName/description, declared primary env var (NEMO_TOKEN), and the SKILL.md all describe a cloud-based video-editing pipeline (upload, session, render, download). The NEMO_TOKEN credential is expected for this purpose and the APIs called are consistent with the described feature set (upload, render, credits, state).
- Instruction Scope
- noteRuntime instructions stay within video-editing scope (create session, upload files, send messages, poll render status). They do require access to the user's video files (expected) and to detect the install path to set an X-Skill-Platform header (inspects ~/.clawhub, ~/.cursor/skills/, or otherwise uses 'unknown'); this is minor but does require the agent to check existence of those paths. The skill also instructs not to display raw API responses or token values to the user — sensible for UX but could hide debug info if you need visibility.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest install risk. It makes HTTPS calls to a named API host; nothing is downloaded or written by an installer spec.
- Credentials
- noteOnly NEMO_TOKEN is declared as required and is the primary credential; SKILL.md includes a flow to auto-obtain an anonymous token if NEMO_TOKEN isn't set (consistent). One metadata mismatch exists: the skill's YAML frontmatter lists a configPaths value (~/.config/nemovideo/) while the registry summary shows 'Required config paths: none' — this inconsistency should be clarified. Aside from NEMO_TOKEN, no unrelated credentials are requested.
- Persistence & Privilege
- okalways:false and no install actions; the skill does not request persistent system-wide privileges or modifications to other skills. It stores session IDs/tokens for normal operation (expected for a session-based API). Autonomous invocation is enabled (platform default) but not combined with other high-risk flags.