Skillv1.0.0

ClawScan security

Video Editor Ai Best · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 4:26 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a cloud video-editing service, but metadata inconsistencies, an unknown backend domain, and instructions that can access user files and a local config path warrant caution before installing.
Guidance: This skill looks like a cloud-based video editor and asks for one API token (NEMO_TOKEN) and will upload your files to https://mega-api-prod.nemovideo.ai. Before installing: 1) Verify the service owner and domain (there's no homepage or repo linked). 2) Prefer using a short‑lived or limited-scope token rather than a long-lived credential. 3) Check for and remove any sensitive tokens in ~/.config/nemovideo/ (the SKILL.md references that path). 4) Test with a small, non-sensitive clip first. 5) If you are uncomfortable with automatic uploads to an external server, do not enable the skill or disable autonomous invocation. 6) If you need higher assurance, ask the publisher for provenance (homepage/repo, privacy policy) and clarification about why the config path was omitted from the registry metadata.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform cloud video editing and requires a single API token (NEMO_TOKEN), which is coherent. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata shows no required config paths, and the skill has no homepage or verifiable source — this mismatch and missing provenance reduce confidence.
Instruction Scope: concernRuntime instructions tell the agent to read NEMO_TOKEN (or obtain an anonymous token), create sessions, upload files (multipart or by URL), and poll a third-party API at https://mega-api-prod.nemovideo.ai. The instructions also expect to auto-detect an install path for an attribution header. These steps legitimately support a cloud editor, but they also involve reading env vars, potentially a local config path, and uploading user files to an external, unverified domain — all of which expand the data-access surface and could be used to exfiltrate sensitive content if the backend is untrusted.
Install Mechanism: okNo install spec and no code files — this is instruction-only, so nothing is written to disk by an installer. That minimizes installation-time risk.
Credentials: concernOnly NEMO_TOKEN is declared as required, which is reasonable for an API-backed service. But the SKILL.md/frontmatter also references a config path (~/.config/nemovideo/), suggesting the skill may read local config files for credentials; that was not reflected in the registry metadata. The discrepancy and the potential to access a local config containing tokens is disproportionate without clearer justification.
Persistence & Privilege: okThe skill is not force-enabled (always: false) and does not request system-wide persistence. Autonomous invocation is allowed (the platform default), which is expected for a skill of this type. There is no install-time modification of other skills or system settings described.