Back to skill
Skillv1.0.0
ClawScan security
Video Editor Ai Mac · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 4:24 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a cloud-based AI video editing service: it needs a single service token, uploads user video files to the stated backend, and has no install-time code or unrelated credential requests.
- Guidance
- This skill appears internally consistent for a cloud-based video editor. Before installing, consider: you will upload your raw video files to https://mega-api-prod.nemovideo.ai (check privacy, retention, and terms); provide or allow creation of a NEMO_TOKEN (anonymous tokens are transient but still grant upload rights); avoid sending sensitive or private footage unless you trust the service; confirm how long processed videos are stored and whether they link to an account; if you prefer control, create and supply your own service token rather than relying on anonymous-token generation. If anything about the backend domain or the vendor is unfamiliar, verify the service independently before uploading important content.
Review Dimensions
- Purpose & Capability
- okName/description (AI video editing) align with the runtime instructions: the SKILL.md describes creating a session, uploading video files, running render jobs, and downloading results. Requested env var (NEMO_TOKEN) and config path (~/.config/nemovideo/) match the described backend service.
- Instruction Scope
- noteInstructions are focused on obtaining/using a NEMO_TOKEN, creating a session, uploading files, and controlling renders. They explicitly direct uploads to the remote API and require certain headers. Note: the skill will send user video files and session metadata to an external service — this is expected for the stated purpose but is a privacy consideration. It also asks to auto-detect X-Skill-Platform from install path (minor scope creep because it may read environment/install path).
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. Nothing is downloaded or written by an installer, which reduces risk.
- Credentials
- okOnly NEMO_TOKEN (primary credential) and a config path for nemovideo are requested. That is proportionate for a cloud service that requires authentication. The SKILL.md also supports generating an anonymous token if none is present (transient, limited credits).
- Persistence & Privilege
- okSkill is not always-enabled and does not request persistent elevated privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other concerning factors.