Skillv1.0.0

ClawScan security

Facebook Editor Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 10, 2026, 11:04 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud video-editing integration: it asks only for a NEMO_TOKEN (or uses an anonymous token flow), describes API endpoints and upload/export workflows, and has no install or unrelated credential requirements.
Guidance: This skill appears to do what it says: it uploads user videos to nemovideo.ai for cloud editing and returns rendered outputs. Before installing/providing credentials: (1) Confirm you trust the domain (mega-api-prod.nemovideo.ai) and understand the privacy implications of uploading videos to a third-party cloud (sensitive content will be transmitted and stored by that service). (2) Prefer using the anonymous-token flow if you don't want to give a long-lived NEMO_TOKEN; if you must supply NEMO_TOKEN, verify its scope/permissions and limit it. (3) Note a small metadata mismatch: SKILL.md references a config path (~/.config/nemovideo/) although registry metadata lists none—ask the publisher to clarify. (4) The skill has no install and no other credential requests, but the source/homepage is missing; consider requesting publisher info or reviewing service terms before trusting it with private media.

Purpose & Capability: okThe name/description (Facebook video editing) align with the declared requirement (NEMO_TOKEN) and the SKILL.md instructions which call the nemovideo.ai render/upload/session APIs. Required headers and endpoints relate to the described cloud rendering service.
Instruction Scope: okSKILL.md instructs network interactions (session creation, SSE chat, upload, export), polling, and token handling — all within the scope of a cloud video editor. It does not instruct reading unrelated system files or unrelated credentials. It does ask to 'keep technical details out of the chat' but that is a UX directive, not an exfiltration step.
Install Mechanism: okThere is no install spec and no code files — this is an instruction-only skill, so nothing is written to disk and no external packages are installed.
Credentials: noteThe skill requests a single credential, NEMO_TOKEN, which is proportional for access to the described API. Note: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) despite the registry metadata stating no required config paths — this metadata mismatch should be clarified. Also verify what scope/privileges NEMO_TOKEN grants before providing it.
Persistence & Privilege: okalways:false (default) and no install behavior means the skill does not demand permanent/privileged presence. Autonomous invocation is allowed by platform default but is not combined with broad or unrelated credential access here.