Skillv1.0.0

ClawScan security

Video Editing With Generative Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 3:02 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-hosted AI video-editing service; nothing requested is disproportionate to its stated purpose, though you should be aware it uploads your video to an external API and the skill source is unknown.
Guidance: This skill appears coherent for a cloud-based AI video editor, but consider the following before installing: - Privacy: uploaded videos go to mega-api-prod.nemovideo.ai. Do not upload confidential or sensitive footage unless you trust that service and have reviewed its privacy/retention policy. - Token handling: if you provide a persistent NEMO_TOKEN, it grants access to the service; prefer a scoped/dedicated token or anonymous tokens for quick tests. The skill can also obtain an anonymous token automatically (100 free credits, 7-day expiry). - File access: the instructions assume the runtime can attach multipart file data. Confirm how your client supplies uploaded files (streamed attachments vs. filesystem paths) so the skill does not attempt to read arbitrary host filesystem paths. - Source provenance: the skill’s source/homepage is unknown. If you need stronger assurance, request a homepage, privacy policy, or repository from the publisher before using it with real or sensitive content. - Operational limits: the skill documents rate limits, error codes, and required attribution headers — ensure your deployment can send the headers and handle the SSE/polling model. If you accept these tradeoffs and the external service is acceptable for your data, the skill appears consistent with its stated purpose.

Review Dimensions

Purpose & Capability: noteName, description, and required credential (NEMO_TOKEN) align with a cloud video-editing backend. Minor mismatch: metadata lists a config path (~/.config/nemovideo/) that the SKILL.md does not explicitly read or write — likely harmless but unnecessary in this instruction-only skill.
Instruction Scope: noteSKILL.md stays within video-editing behavior: token check/creation, session creation, SSE messaging, file upload, render/poll, and credits checks. It instructs uploading user files to https://mega-api-prod.nemovideo.ai and to send multipart file paths (e.g., -F "files=@/path"). That assumes the agent/runtime can access files by path or handle attached uploads; confirm your client actually supplies uploaded file data rather than giving the skill arbitrary filesystem access. The instructions explicitly say not to expose tokens/raw API output, which is good.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This minimizes on-disk code risk.
Credentials: okOnly one environment variable is required (NEMO_TOKEN) and it is directly relevant to the API. The skill can also obtain an anonymous token by calling the service if no NEMO_TOKEN is present; this behavior is documented in the instructions. There are no unrelated secrets requested.
Persistence & Privilege: notealways:false (normal). The skill is allowed to be invoked autonomously (platform default). That alone is not a red flag, but because this skill transmits user video/audio data to an external cloud API, you should be aware an autonomous agent could call the service and upload data without explicit further prompts if the agent were granted that flow.