Back to skill
Skillv1.0.0
ClawScan security
Editor For Pc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 17, 2026, 4:43 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (cloud video editing) matches most of its instructions, but there are inconsistencies in metadata and a few implementation details that warrant caution before installing.
- Guidance
- This skill appears to be a frontend for a third-party cloud video-editing API (mega-api-prod.nemovideo.ai). Before installing: 1) Decide whether you are comfortable uploading your videos to an unknown external service with no listed homepage or owner information. 2) Confirm where NEMO_TOKEN and the session_id will be stored (in-memory vs on-disk under ~/.config/nemovideo/) and whether the skill will read other files (it asks to detect install path). 3) Validate the API domain and service reputation if possible; prefer skills with a known homepage or vendor. 4) If you proceed, limit the token's scope and lifetime (use anonymous token or a disposable account), avoid sending sensitive footage, and delete stored tokens/sessions after use. The metadata mismatch (frontmatter lists a config path but registry metadata did not) is unexplained — ask the skill author to clarify where any credentials or session data are saved and why filesystem access is needed.
Review Dimensions
- Purpose & Capability
- okThe name and description match the instructions: the skill uploads videos and calls a Nemo cloud API to edit and render. Requesting a NEMO_TOKEN and calling render/upload endpoints is coherent with a cloud video-editing service.
- Instruction Scope
- noteInstructions are largely scoped to interacting with the nemo API (auth, upload, SSE, render, poll). However the SKILL.md asks the agent to detect install path (to set X-Skill-Platform) and references a config path (~/.config/nemovideo/) in its frontmatter — this requires reading filesystem state. The skill also instructs storing session_id and tokens for subsequent requests but does not specify where or how (memory vs disk). Those filesystem/config actions expand scope beyond simple API calls and should be confirmed.
- Install Mechanism
- okNo install spec or code files are present (instruction-only), so nothing is downloaded or written by a packaging/install step. This minimizes install-time risk.
- Credentials
- noteThe skill declares a single primary credential (NEMO_TOKEN), which is appropriate for a hosted API. However the frontmatter also lists a config path (~/.config/nemovideo/) but the registry metadata reported no required config paths — that mismatch is unexplained. The instructions will generate an anonymous token if NEMO_TOKEN is absent, which is reasonable but means the skill will make network calls to obtain and then use/store tokens.
- Persistence & Privilege
- notealways:false (normal). The skill will create/hold a session_id and may persist or reuse a token for up to 7 days. It also asks to detect install path and references a per-user config directory — these imply potential filesystem reads/writes limited to the skill's own config, but the storage location and permissions are unspecified.