Skillv1.0.0

ClawScan security

Video Editor Simple · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 20, 2026, 3:49 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based video editing integration (it needs a NEMO_TOKEN and uses a nemo video API); nothing requested appears unrelated, but there are a few minor inconsistencies and privacy considerations you should review before uploading content.
Guidance: This skill appears to be a straightforward cloud-based video editor that uses a single service token (NEMO_TOKEN). Before installing or using it: (1) confirm you trust the service domain (mega-api-prod.nemovideo.ai) — uploaded video files will be sent to that backend; (2) verify where the agent will store the session token/session_id and how long it persists; (3) if you have sensitive footage, avoid uploading it until you review the provider's privacy/storage policy; (4) note the SKILL.md will auto-generate an anonymous token if none is provided — if you prefer control, supply your own NEMO_TOKEN; (5) the skill determines an install path to set an attribution header — if your environment restricts reading your home dirs, ensure the agent's filesystem access policy is acceptable. These checks will reduce privacy and operational risk.

Review Dimensions

Purpose & Capability: okThe name/description describe a cloud AI video editor and the SKILL.md instructs calls to a nemo video API using an Authorization bearer token (NEMO_TOKEN). Requiring NEMO_TOKEN is appropriate for this purpose. Minor inconsistency: the SKILL.md frontmatter metadata references a config path (~/.config/nemovideo/) but the registry metadata listed no required config paths.
Instruction Scope: noteInstructions stay within the editing/export workflow (session creation, SSE for editing, upload, export polling). Two things to note: (1) the skill instructs detecting the install path to set an X-Skill-Platform header (this requires reading/inspecting typical install directories), and (2) it instructs generating and using an anonymous token automatically if no NEMO_TOKEN is present and explicitly tells the agent not to display raw API responses or token values. Both are explainable for UX/privacy purposes but worth verifying.
Install Mechanism: okInstruction-only skill with no install spec or downloads; nothing is written to disk by an installer. This is the lowest install risk.
Credentials: okOnly one credential is required: NEMO_TOKEN (primary). That matches the stated cloud API integration. The skill also describes obtaining an anonymous token if none is provided, which is consistent with needing a credential for API calls. No unrelated credentials or secrets are requested.
Persistence & Privilege: okThe skill does not request always:true and uses session IDs for job state (normal). It instructs storing the returned session_id for subsequent requests, which is appropriate. It does not instruct modifying other skills or global agent settings.