Skillv1.0.0

ClawScan security

Not Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 8:52 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a remote AI video-editing service: it needs a NEMO_TOKEN, uploads user video files to nemovideo.ai, and manages session tokens — no extraneous credentials or installers are requested.
Guidance: This skill appears coherent for a cloud video-editing service, but review these points before installing or using it: - Privacy: Your uploaded video files are sent to a third-party domain (mega-api-prod.nemovideo.ai). Do not upload sensitive or private footage unless you trust the service and its terms. - Token storage: If NEMO_TOKEN is not provided, the skill will create an anonymous token and store it (metadata suggests ~/.config/nemovideo/). That token grants upload/render access for the token lifetime (the doc says 7 days). If concerned, provide your own token or delete/revoke the stored token after use. - Source provenance: The skill has no homepage and the source is unknown. If you need stronger assurance, ask the publisher for a privacy policy, terms, or source code before uploading sensitive content. - Network activity: The agent will make API calls, SSE connections, file uploads, and polling requests to the specified domain. If you must audit traffic, monitor outbound requests to mega-api-prod.nemovideo.ai. - Least privilege: Prefer using a disposable/limited account or an explicitly provisioned NEMO_TOKEN rather than embedding long-lived credentials. If you are comfortable with remote processing of your video files by nemovideo.ai and with session tokens being stored temporarily, the skill's footprint is proportionate to its stated purpose. If not, avoid uploading files or request more provenance from the skill author.

Review Dimensions

Purpose & Capability: okThe skill claims to perform cloud video editing and only asks for a single service credential (NEMO_TOKEN) and a config path for storing session/token data. The declared requirements (NEMO_TOKEN and ~/.config/nemovideo/) align with the described behavior of calling nemovideo.ai APIs and uploading video files.
Instruction Scope: noteThe SKILL.md instructs the agent to: generate or use an anonymous token, create sessions, upload user-supplied video files, send SSE messages, poll render status, and return download URLs. All of these actions are expected for remote rendering, but they do involve transmitting user video content and session tokens to an external domain (mega-api-prod.nemovideo.ai). The doc also instructs storing the token/session id and not showing raw API responses, which is operationally sensible but worth noting as a privacy consideration.
Install Mechanism: okNo install spec or code is present; this is instruction-only. That is the lowest-risk install pattern since nothing is downloaded or written by the installer step beyond what the agent itself does at runtime.
Credentials: okOnly one environment variable (NEMO_TOKEN) is required and it is the primary credential for the third-party API. No unrelated keys, secrets, or cloud-provider credentials are requested. The presence of a config path (~/.config/nemovideo/) for storing tokens/sessions is proportionate to the behavior.
Persistence & Privilege: notealways is false (no forced inclusion). The skill instructs creating/storing an anonymous token and session_id (metadata lists a config path), so it may persist credentials locally under ~/.config/nemovideo/. This is expected for session management but means tokens will exist on disk for the token lifetime (noted as 7 days for anonymous tokens).