Skillv1.0.0

ClawScan security

Tiktok Video Editor App · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 4:49 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (cloud video editing) aligns with its runtime instructions to call an external Nemovideo API and upload user videos, but there are small inconsistencies and trust/privacy concerns (unknown source, no homepage, declared env/config mismatches) that merit caution before installing.
Guidance: This skill sends any uploaded videos and metadata to https://mega-api-prod.nemovideo.ai — the source and homepage are not provided, so verify that domain and service before uploading private content. The skill declares an env var NEMO_TOKEN but will also generate an anonymous token automatically; avoid pasting highly sensitive tokens into skills you don't fully trust and prefer anonymous mode if available. Check for a privacy policy or official project page, and if you must provide a permanent NEMO_TOKEN, only do so if you trust the operator. Finally, be aware the skill will read its own frontmatter and detect install paths (it may inspect typical skill install directories) — avoid installing on systems with sensitive files in those paths. If you want higher assurance, request the skill author/publisher info or an official homepage and an explanation for the env/config mismatch before installing.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform TikTok-oriented cloud video editing and its SKILL.md exclusively describes API calls, uploads, session management, and exports to a video-processing backend — this is coherent with the stated purpose. Minor inconsistency: the registry lists no required config paths but the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/).
Instruction Scope: noteRuntime instructions stay within the editing workflow (obtain/use a token, create session, upload files, request renders, poll exports). They do instruct the agent to read this skill's YAML frontmatter and detect install path to set an X-Skill-Platform header (which requires inspecting file/install paths). The skill does not instruct reading arbitrary system files or unrelated environment variables, but it will upload user media to an external third-party domain.
Install Mechanism: okThere is no install spec or third-party binary download; the skill is instruction-only, which minimizes install-time risk because nothing is written or executed on disk by an installer.
Credentials: concernThe skill declares a single primary credential NEMO_TOKEN (appropriate for a remote API). However, registry metadata and SKILL.md are inconsistent: requires.env lists NEMO_TOKEN as required, yet SKILL.md includes a full fallback that generates an anonymous token automatically if NEMO_TOKEN is absent. That mismatch (declared required env var vs. runtime anonymous-auth fallback) is surprising and worth noting. The skill does not request unrelated credentials, which is good.
Persistence & Privilege: noteThe skill is not force-included (always: false) and uses normal autonomous invocation. It asks the agent to store a session_id for ongoing requests and to inspect the install path to set an attribution header — these are limited privileges and not obviously excessive, but installing an always-enabled skill would increase risk (this skill does not request that).