Skillv1.0.0

ClawScan security

Video Editor Better Than Capcut · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 5:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behaviour largely matches a cloud video-editing tool, but there are inconsistencies (a claimed config path in the skill frontmatter vs registry metadata) and it will upload user files and obtain/handle tokens for an external API — the pieces mostly fit but a few unexpected items merit caution.
Guidance: This skill generally behaves like a cloud video-editor: it uploads your clips to an external API, creates/uses a NEMO_TOKEN, and returns edited outputs. Before installing or using it: (1) Verify the external domain (mega-api-prod.nemovideo.ai) and the publisher — there is no homepage or publisher info in the registry. (2) Prefer supplying your own NEMO_TOKEN only if you trust the service; anonymous tokens can be created automatically as the instructions describe. (3) Clarify why the skill's frontmatter references ~/.config/nemovideo/ and why the registry metadata doesn't list that config path — avoid installing if you don't want a skill that may access your home/config directories. (4) Do not allow autonomous/background runs on sensitive video files; the skill will upload files to an external cloud service. (5) If you need more assurance, ask the publisher for a privacy/storage policy and confirm whether uploaded media are persisted or used for model training.

Review Dimensions

Purpose & Capability: concernThe skill describes a cloud-based AI video editor and requires a NEMO_TOKEN which matches that purpose. However, the SKILL.md frontmatter declares a required config path (~/.config/nemovideo/) that is not listed in the registry-level 'Required config paths' metadata. The frontmatter also instructs detection of agent install paths (~/.clawhub, ~/.cursor), which implies reading filesystem locations beyond just handling uploaded clips — this mismatch should be clarified.
Instruction Scope: noteRuntime instructions are focused on creating a session, uploading clips, streaming SSE messages, checking credits/state, and exporting — all consistent with a cloud video editor. The instructions do ask the agent to read this file's YAML frontmatter and to detect install paths in the home directory: those file/FS reads are outside the core editing flow and could access user environment details that aren't strictly necessary for editing.
Install Mechanism: okNo install spec and no code files — this is instruction-only, so nothing is written to disk by an installer. That lowers install risk; the skill relies on making outbound API calls at runtime.
Credentials: noteOnly a single credential (NEMO_TOKEN) is declared as required, which is proportionate for a cloud API. The skill also describes generating an anonymous token from the service if NEMO_TOKEN is absent (reasonable). The earlier-noted frontmatter configPaths entry suggests the skill may expect or attempt access to ~/.config/nemovideo/, which was not declared in the registry metadata — this inconsistency increases risk because it implies access to a local config area that wasn't advertised.
Persistence & Privilege: noteThe skill is not always-enabled and uses normal autonomous invocation. It will, if used, send user video files and session tokens to an external domain (mega-api-prod.nemovideo.ai). Autonomous invocation plus outbound uploads means the skill could transmit data without further prompting if granted permission — combine that with the configPath ambiguity and you should be cautious about unattended/autonomous use on sensitive files.