Skillv1.0.0

ClawScan security

Video Online Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 12:26 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's required credential and API calls match its stated purpose (remote video editing), but there are small inconsistencies and a few places the skill asks the agent to inspect or store state (install path, session/token) that you should understand before use.
Guidance: This skill appears to do what it says (remote video editing) and only needs a single service token, but check a few things before installing: 1) Trust and domain: uploads and tokens go to https://mega-api-prod.nemovideo.ai — only use the skill if you trust that service and are comfortable uploading your videos. 2) Token handling: the skill can obtain an anonymous NEMO_TOKEN for you; if you prefer control, supply your own NEMO_TOKEN and confirm whether the skill will persist it to disk or keep it only in memory. 3) Filesystem access: the runtime asks the agent to detect an install path and references ~/.config/nemovideo/ in the SKILL.md metadata — ask the author to clarify what filesystem reads/writes (if any) the skill performs. 4) Privacy: uploaded video content will be processed server-side — review the service's privacy/TOS if your content is sensitive. If any of these points are unacceptable or unclear, request clarification from the publisher before use.

Review Dimensions

Purpose & Capability: noteThe skill requires a single credential (NEMO_TOKEN) which is appropriate for a cloud video-editing backend. One inconsistency: the registry metadata provided to you lists no required config paths, but the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) — this mismatch should be clarified. Otherwise requested capabilities (uploading video, SSE, render/export endpoints) align with the described purpose.
Instruction Scope: noteThe instructions stick to remote editing, file upload, polling SSE, and export workflows. However the runtime directions instruct the agent to: check environment for NEMO_TOKEN, if missing call an anonymous-token endpoint to obtain a token, keep session_id for operations, and detect an install path to set an X-Skill-Platform header. Detecting the install path implies reading agent filesystem state; obtaining and caching tokens implies storing sensitive values — both are within the skill's needs but expand its scope beyond simple message passing and should be understood.
Install Mechanism: okThis is instruction-only (no install spec, no code files), which is the lowest-risk install mechanism. Nothing is downloaded or executed by an installer.
Credentials: okOnly one environment credential is declared (NEMO_TOKEN) and all API calls are authenticated with it; that is proportionate for a remote video service. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege: notealways:false (normal). The skill expects to obtain and reuse a session_id and may obtain an anonymous NEMO_TOKEN automatically. The SKILL.md implies persisting or caching these tokens/session IDs for the session lifecycle (and references a config path in its metadata). The skill does not explicitly state where/how it will store tokens — clarify whether tokens are kept only in memory, written to ~/.config/nemovideo/, or exported into the agent environment.