Skillv1.0.0

ClawScan security

Video Editor For · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 2:42 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally coherent for a cloud video-editing integration (it contacts a remote NemoVideo API and asks for a Nemo token), but there are small metadata inconsistencies and privacy considerations you should review before use.
Guidance: This skill behaves like a typical cloud video-editing integration: it will upload any video you send to the NemoVideo service and use a NEMO_TOKEN (or create a temporary anonymous token) to authenticate. Before installing or using it: 1) Be aware you are sending media to an external third-party endpoint (mega-api-prod.nemovideo.ai) — don't upload sensitive content unless you're comfortable with their privacy/retention policy. 2) The package has no homepage and the source is unknown; consider this when trusting a token or uploading copyrighted/private videos. 3) Note the SKILL.md references a config path (~/.config/nemovideo/) but the registry metadata omitted it — ask the publisher to clarify whether the skill will read local config files. 4) Use anonymous tokens or a dedicated limited-scope NEMO_TOKEN if possible, and test first with non-sensitive samples. 5) If you need higher assurance, ask the author for a homepage, privacy policy, and proof-of-service (e.g., official API docs or a trusted release) before granting tokens or uploading production content.

Review Dimensions

Purpose & Capability: noteThe name/description (AI-powered remote video editing) matches the runtime instructions (uploading video, creating a session, rendering/export endpoints). The declared primary credential NEMO_TOKEN is appropriate for a remote service. One inconsistency: the registry metadata provided with the package lists no required config paths, but the SKILL.md frontmatter/metadata references a config path (~/.config/nemovideo/). This mismatch should be resolved (either the skill needs that config path or it should not claim it).
Instruction Scope: noteSKILL.md stays within the editing workflow: create/refresh a session, upload videos, send edits over SSE, poll for render results, and return download URLs. It explicitly instructs generating an anonymous token if NEMO_TOKEN is missing and to avoid printing tokens/raw JSON. Important operational behaviors: user media is uploaded to an external service (mega-api-prod.nemovideo.ai), the skill requires particular attribution headers on all requests (skill name/version/platform), and it asks agents to auto-detect platform/install path for X-Skill-Platform — this may reveal install path info. These are expected for the stated purpose but are privacy-relevant and should be noted.
Install Mechanism: okNo install specification or code files are present (instruction-only). This is the lowest-risk deployment model for this type of skill — nothing is written to disk by an install step in the package itself.
Credentials: noteThe only required environment credential is NEMO_TOKEN (declared as primary), which is proportionate to a cloud editing service. The SKILL.md also documents a fallback anonymous-token flow (generating a UUID and POSTing for a temporary token). The earlier-noted inconsistency is that SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata summary showed none — requesting access to a user config path would increase sensitivity and should be clarified. No unrelated credentials are requested.
Persistence & Privilege: okThe skill does not request always: true and is user-invocable; it does not ask to modify other skills or system-wide settings. The skill stores session_id per its workflow, which is appropriate for managing render jobs and not a privilege escalation.