Skillv1.0.0

ClawScan security

Text To Video Editing Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 6:01 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud-based text-driven video editing) aligns with its runtime instructions and required credential (NEMO_TOKEN); however there are minor metadata inconsistencies and privacy considerations you should review before using it.
Guidance: This skill appears to do what it claims (upload your video files to a cloud API and return edited downloads). Before installing or using it: 1) Understand that your raw video (and any embedded audio/visual content) will be transmitted to mega-api-prod.nemovideo.ai — review their privacy/retention policy if possible. 2) Confirm what the ~/.config/nemovideo/ configPath means: the frontmatter suggests a local config may be read, but the registry metadata omitted it — avoid placing other secrets or credentials in that folder. 3) Prefer using the anonymous token flow for testing (non-sensitive sample videos) before supplying a persistent NEMO_TOKEN. 4) Because the skill's source and homepage are unknown, consider checking the API domain reputation or testing in a sandboxed account. 5) Do not provide unrelated credentials or sensitive data; if you need a production workflow, ask the vendor for documentation and explicit data-retention / deletion policies.

Review Dimensions

Purpose & Capability: noteThe name/description (text → video edits) match the SKILL.md: it instructs the agent to upload video files and call a cloud render API. The single required credential (NEMO_TOKEN) is appropriate for a cloud service. One inconsistency: the registry top-level metadata lists no required config paths, but the skill frontmatter includes a configPaths entry (~/.config/nemovideo/) — this is not clearly justified by the text and should be confirmed.
Instruction Scope: noteSKILL.md explicitly instructs the agent to look for NEMO_TOKEN (or request an anonymous token), create sessions, upload user video files (multipart or by URL), use server-sent events for edits, poll render endpoints, and return download URLs. These actions are within the stated purpose, but they mean user video and metadata will be transmitted to an external service (mega-api-prod.nemovideo.ai). The instructions ask the agent to include attribution headers and to avoid exposing raw API output or tokens to the user; otherwise they do not request unrelated files or extra environment variables.
Install Mechanism: okNo install spec and no code files (instruction-only). This is low-risk in terms of writing or running new binaries on disk. All runtime behavior is network calls initiated by the agent.
Credentials: noteOnly NEMO_TOKEN is declared as required/primary — appropriate for a single cloud service. The SKILL.md supports creating an anonymous token if none is provided. The metadata's configPaths entry (~/.config/nemovideo/) is inconsistent with the registry's 'no config paths' and raises a question whether the skill expects to read a local config file; this should be clarified. There are no requests for unrelated secrets or multiple unrelated credentials.
Persistence & Privilege: okalways is false and the skill does not request system-wide changes or permissions. It does not declare any privileged persistence behavior. Autonomous invocation is allowed by default (disable-model-invocation: false) but that is normal for skills and not by itself a negative.