ClawHub
Back to skill
v1.0.0

Video Using Ai

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 12:14 PM.

Analysis

This instruction-only skill is consistent with cloud AI video editing, but it uploads media to an external service and uses a NEMO token/session.

GuidanceBefore installing, make sure you are comfortable sending your video files and edit instructions to the Nemo video cloud service. Protect NEMO_TOKEN like a password, avoid uploading sensitive footage unless you trust the provider, and keep export sessions open until jobs finish.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityLowConfidenceHighStatusNote
SKILL.md
"click" or "点击" → execute the action via the relevant endpoint

The skill tells the agent to turn backend GUI-style text into API actions, so remote service responses can guide the agent's behavior within the editing session.

User impactA backend response could influence what the agent does next during the video workflow.
RecommendationUse the skill only for the intended editing task and review important actions such as uploads, edits, and exports.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
Upload — `POST /api/upload-video/nemo_agent/me/<sid>` ... Export — `POST /api/render/proxy/lambda`

The skill directs the agent to perform network API operations that upload files, mutate a remote editing session, and start export jobs. These actions match the purpose but are user-impacting.

User impactYour media may be uploaded and remote credits or render jobs may be used as part of normal operation.
RecommendationConfirm that the files and requested edits are intended before invoking upload or export actions.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The registry metadata does not provide a source repository or homepage for independent provenance review, even though the skill depends on a remote cloud service.

User impactYou have less public provenance information to verify who maintains the skill or service integration.
RecommendationReview the domain and provider trustworthiness before uploading sensitive footage.
Cascading Failures
SeverityLowConfidenceHighStatusNote
SKILL.md
The session token carries render job IDs, so closing the tab before completion orphans the job.

A render job can continue or become detached from the user interface if the session is interrupted, which can leave remote work in an uncertain state.

User impactInterrupted exports could leave remote jobs running or make it harder to recover the output.
RecommendationKeep the session open until exports complete and check status before starting duplicate render jobs.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
`requires`: {"env": ["NEMO_TOKEN"] ... "primaryEnv": "NEMO_TOKEN"} ... `Authorization: Bearer <NEMO_TOKEN>`

The skill requires a bearer token for the Nemo video service. This credential use is declared and purpose-aligned, but it grants access to a remote account/session and credits.

User impactAnyone with the token may be able to access or use the associated Nemo video service session or credits.
RecommendationKeep NEMO_TOKEN private, avoid sharing logs that may contain it, and rotate it if you suspect exposure.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
Save `session_id` from the response ... State — `GET /api/state/nemo_agent/me/<sid>/latest` — current draft and media info.

The skill stores and later retrieves remote session state and draft/media information, which can shape subsequent summaries and edits.

User impactThe current editing draft and session context may persist and influence later actions in the same project.
RecommendationStart a new session for unrelated projects and avoid mixing sensitive footage with unrelated editing tasks.
Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
The AI video creation runs on remote GPU nodes ... All calls go to `https://mega-api-prod.nemovideo.ai`.

The skill communicates with an external provider for processing and rendering. This is clearly disclosed and necessary for the purpose, but user media and prompts are sent off-device.

User impactRaw footage, editing instructions, and generated drafts may be processed by the external Nemo video service.
RecommendationDo not upload confidential, regulated, or private footage unless you trust the provider and its data handling.