Back to skill
Skillv1.0.0
ClawScan security
Video Editor Hiring · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 23, 2026, 2:40 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are consistent with a cloud video-editing integration, but there are provenance gaps and a small metadata mismatch you should verify before installing.
- Guidance
- This skill appears to do what it says (cloud-based video editing) and only needs one service token (NEMO_TOKEN). Before installing: 1) confirm the backend domain (mega-api-prod.nemovideo.ai) and that you trust it to handle your videos and retention/privacy; 2) ask the publisher to clarify the metadata mismatch about ~/.config/nemovideo/ (will it read/write that path?); 3) avoid placing highly sensitive footage or long-term credentials in NEMO_TOKEN without knowing the provider's policies; and 4) prefer skills with a verifiable homepage or publisher identity — the source here is unknown, which lowers confidence.
Review Dimensions
- Purpose & Capability
- noteThe skill claims to perform cloud video editing and only requests a single service token (NEMO_TOKEN) which is appropriate. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata earlier reported no required config paths — that mismatch should be clarified. The skill's source/homepage is unknown, which reduces confidence in provenance.
- Instruction Scope
- okThe instructions stay within the scope of a remote render service: create or reuse a token, create a session, upload files, drive SSE/chat and export. It does not instruct accessing unrelated local files or other credentials. It does require adding specific attribution headers and detecting an install platform string from an install path (minor footprint).
- Install Mechanism
- okNo install spec and no code files (instruction-only) — lowest-risk install mechanism. All runtime actions are HTTP calls to the described backend.
- Credentials
- noteOnly NEMO_TOKEN is declared as required, which is proportionate for a managed video-rendering API. Note the SKILL.md frontmatter mentions a config path (~/.config/nemovideo/); if the skill expects to read or write that path, it should be declared in registry metadata. Confirm whether the skill will persist tokens or cached files to that location.
- Persistence & Privilege
- okalways:false and default autonomous invocation are set. No signals that the skill requests elevated or permanent platform privileges beyond normal operation.