Skillv1.0.0

ClawScan security

Video Editor Kaise · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 18, 2026, 4:52 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud-based video editing service: it asks only for a service token (NEMO_TOKEN), uploads media to the provider's API, and does not request unrelated credentials or install binaries.
Guidance: This skill will upload any video/audio files you provide to https://mega-api-prod.nemovideo.ai for cloud editing and rendering; only a single service token (NEMO_TOKEN) is used and an anonymous token is obtained automatically if you don't provide one. Before installing or using: (1) confirm you trust the nemovideo service and its privacy/security policies because your media will be transmitted off-device; (2) avoid uploading sensitive content unless you're comfortable with that third-party; (3) if you have an account, prefer providing your own token rather than relying on the anonymous fallback; (4) note the skill reads its own YAML frontmatter and the agent install path to populate attribution headers — this requires limited local metadata access. The instructions also contain a small mismatch in status/code messaging (402 noted for attribution failure), which seems like a documentation quirk but not a functional red flag.

Purpose & Capability: okName/description (cloud video editing) match the declared requirement of a NEMO_TOKEN and the API endpoints in SKILL.md. The declared config path (~/.config/nemovideo/) and the primaryEnv NEMO_TOKEN are consistent with a remote video render service.
Instruction Scope: noteInstructions involve uploading user media and creating sessions with mega-api-prod.nemovideo.ai, which is appropriate for the stated purpose. The skill also instructs the agent to read this file's YAML frontmatter for X-Skill-Version and to detect install path to set X-Skill-Platform — this requires limited local file/path reads. That extra attribution step is plausible but broadens the scope to reading local agent metadata.
Install Mechanism: okNo install spec and no code files—instruction-only—so nothing is written to disk or downloaded by the skill at install time, which is low risk.
Credentials: okOnly one credential is required (NEMO_TOKEN). The SKILL.md also includes a fallback flow to obtain an anonymous token if no token is provided; no other unrelated secrets are requested.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent system privileges. It only reads limited local metadata (frontmatter and install path) and does not modify other skills or system-wide settings.