Skillv1.0.0

ClawScan security

Ai App For Video Editing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 2:28 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent for a cloud-based video-editing integration: it asks for a service token (NEMO_TOKEN), instructs uploading footage to nemovideo.ai, and contains no unrelated credential or install demands.
Guidance: This skill will upload any videos you give it to the external service at mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN to authenticate (or it can mint a short-lived anonymous token for you). Before installing, consider: do you trust that external service with the footage and any PII in it? Prefer using the anonymous token flow if you don't want to store a long-lived credential. Note the SKILL.md asks the agent to save session IDs and to add custom headers (these are normal for the API but check that the domain and privacy policy meet your requirements). There's a minor metadata mismatch in the package frontmatter vs registry (a config path is mentioned in the file but not in registry metadata) — this looks like a documentation inconsistency rather than malicious behavior. If you need higher assurance, ask the skill author for a privacy policy or source code, and avoid providing unrelated secrets.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: the skill routes user edit requests to a cloud rendering API and requires a NEMO_TOKEN. The described API endpoints, upload, SSE, and render workflows are coherent with a video-editing service.
Instruction Scope: noteThe SKILL.md explicitly instructs the agent to: use NEMO_TOKEN (or obtain an anonymous token by POSTing to the service), create a session, upload files (multipart or by URL), send SSE messages, poll job status, and return download URLs. These actions are within the expected scope for a cloud video editor. Minor notes: the doc asks the agent to 'save session_id' (implying some persistent storage of session state) and to auto-detect an 'install path' for X-Skill-Platform header — both are implementation details that are reasonable but not fully specified here.
Install Mechanism: okThere is no install specification and no code files, so nothing will be written to disk by an installer. This is the lowest-risk pattern for an instruction-only skill.
Credentials: okOnly one credential is requested: NEMO_TOKEN (declared as primary). That matches the documented need to authenticate to the nemo video API. The skill also documents an anonymous-token flow if no token is provided. No unrelated secrets or multiple external credentials are requested.
Persistence & Privilege: okalways:false (default) and no special platform-wide privileges requested. The skill instructs saving session_id and using/storing a token for session lifetime, which is normal for a remote job workflow. It does not request modifying other skills or system-wide settings.