Skillv1.0.0

ClawScan security

Editor With No · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 4:14 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video editing) aligns with its instructions and requested credential (NEMO_TOKEN); no install or unrelated credentials are requested, but there are a few minor inconsistencies and privacy considerations you should review before installing.
Guidance: What to consider before enabling this skill: - Functionally this matches a cloud video editor: it needs one service token (NEMO_TOKEN), uploads your raw video files to nemovideo's API, and returns rendered videos. Expect your videos to be transferred to and processed on mega-api-prod.nemovideo.ai. - Confirm you trust the nemovideo domain and its privacy policy before uploading any sensitive recordings. Uploaded content and tokens grant access to the remote service. - Clarify persistence: the SKILL.md references generating a temporary anonymous token (100 credits, 7-day expiry) and mentions a config path (~/.config/nemovideo/) in its YAML frontmatter. Ask the skill author whether tokens or session IDs will be written to disk and exactly where. If you prefer, use a short-lived or dedicated token and avoid setting a global NEMO_TOKEN in your primary shell environment. - The SKILL.md implies the agent may inspect its own frontmatter and detect install path to construct attribution headers — confirm that filesystem reads are limited to the skill file and any explicit config path, not broader user files. - If you need stronger assurance, request these clarifications from the author: (1) exact storage location and lifetime of tokens/session_id, (2) whether any uploaded files or metadata are retained beyond rendering and for how long, and (3) whether requests ever go to domains other than mega-api-prod.nemovideo.ai. Given those clarifications, this skill appears coherent with its stated purpose; treat it like any cloud editor and avoid uploading sensitive material until you confirm retention and token handling details.

Review Dimensions

Purpose & Capability: okThe skill claims to perform server-side video editing and all runtime instructions point to a single external service (mega-api-prod.nemovideo.ai). Requesting a single service token (NEMO_TOKEN), using upload endpoints, session creation, SSE for streaming edits, and render/export endpoints is coherent with the stated purpose.
Instruction Scope: noteInstructions are specific to the remote editing API and do not direct the agent to read unrelated system files. Notable points: the skill expects to accept local video files for upload (multipart -F "files=@/path"), tells the agent to generate and persist an anonymous token if none exists, and instructs deriving some headers from the SKILL.md frontmatter and install path detection. Those require the agent to access the skill file and possibly check install paths or write a token/session somewhere — reasonable for this use case but worth confirming implementation details (where tokens and session_ids are stored, whether anything is written under ~/.config/nemovideo/).
Install Mechanism: okThere is no install spec and no code files: instruction-only reduces risk since nothing is downloaded or extracted during install.
Credentials: noteOnly one environment credential is required: NEMO_TOKEN (primaryEnv). That is appropriate for a single third-party editing service. The SKILL.md also describes a flow to anonymously obtain a token and suggests persisting it; storing a token in environment/config is normal but you should verify where the agent will persist it and for how long (the doc mentions a 7-day anonymous token and a ~/.config/nemovideo/ path in the SKILL.md frontmatter).
Persistence & Privilege: okThe skill is not always-enabled and uses standard autonomous invocation defaults. It instructs the agent to save session_id and to use/store NEMO_TOKEN — typical for session-based APIs. There is no request to modify other skills or system-wide settings.