Back to skill
Skillv1.0.0
ClawScan security
Ai Video Editor Kiss Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 25, 2026, 2:39 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are consistent with a cloud-based video-editing integration: it only requires a single service token, uploads user video files to the stated API, and has no install or unrelated credential demands.
- Guidance
- This skill appears to do what it says: it will upload your video files to an external Nemovideo API and use a single service token (NEMO_TOKEN) or create an anonymous token if none is provided. Before installing/using it, confirm you are comfortable uploading potentially sensitive videos to https://mega-api-prod.nemovideo.ai (the skill's source and homepage are unknown), check service privacy/retention and cost implications (credits/exports may require registration), and avoid supplying unrelated credentials. If you plan to provide a long-lived NEMO_TOKEN, ensure it’s scoped appropriately and can be revoked.
Review Dimensions
- Purpose & Capability
- okName/description (cloud video editing for romantic/kiss scenes) align with required env var (NEMO_TOKEN) and the SKILL.md which documents an external Nemovideo API. Declared config path (~/.config/nemovideo/) and primaryEnv (NEMO_TOKEN) are plausible for this purpose.
- Instruction Scope
- noteInstructions require uploading user-supplied media and exchanging tokens with https://mega-api-prod.nemovideo.ai, saving session_id, and streaming SSE chat. These are expected for a cloud render service but do mean user videos (and session metadata) will be transmitted to that external endpoint. The skill does read its own frontmatter and may probe install-paths to set an X-Skill-Platform header — this is limited but should be noted as filesystem access.
- Install Mechanism
- okNo install spec or code is included (instruction-only), so nothing is written to disk or downloaded by default. Lowest install risk.
- Credentials
- okOnly NEMO_TOKEN is required (primary credential). That is proportionate to a service that requires API authentication. No unrelated secrets or multiple credentials are requested.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request permanent platform-wide privileges or modify other skills. It does instruct saving session_id and using tokens for API calls, which is standard for a client of a remote service.