Skillv1.0.0

ClawScan security

Ai Editing Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 3:27 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions largely match an online video-editing service (it asks for a NEMO_TOKEN and uploads footage to a cloud API), but there are a few inconsistencies and privacy risks you should understand before installing.
Guidance: This skill appears to be a straightforward cloud video-editing connector, but before installing consider: 1) It uploads your video files to https://mega-api-prod.nemovideo.ai — do you trust that external service and its privacy policy? 2) If you set a NEMO_TOKEN in the agent environment it will be used directly; avoid putting long-lived or privileged credentials in a broadly available environment. 3) If no token exists, the skill will automatically request an anonymous token from the service (creates outbound network traffic and a temporary account). 4) There is a metadata mismatch: SKILL.md references a local config path (~/.config/nemovideo/) that the registry summary omitted — confirm whether the skill will read local config before granting file or config access. 5) No install code is present (lower install risk), but verify the domain and owner (no homepage/source listed) or test with non-sensitive media first. If you need higher assurance, ask the publisher for a homepage, privacy policy, or source repository and for clarification about local config access and token handling.

Review Dimensions

Purpose & Capability: noteThe name/description (AI video editing) align with the runtime behavior: it calls a cloud rendering API, uploads video files, and returns edited outputs. Requesting a single service token (NEMO_TOKEN) is expected. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that is not declared in the registry metadata summary, creating a small inconsistency about whether the skill will access local config files.
Instruction Scope: noteInstructions are focused on the declared cloud backend (mega-api-prod.nemovideo.ai) and define session creation, SSE chat, uploads and export workflows — all consistent with an editing service. Two behaviors merit attention: (1) if no NEMO_TOKEN is present the skill instructs the agent to call an anonymous-token endpoint to obtain a starter token automatically (this will cause outbound network auth calls without an existing token), and (2) the skill expects the agent to upload user video files (potentially sensitive) to the external service. The instructions do not ask the agent to read unrelated local files or other environment variables.
Install Mechanism: okThis is instruction-only with no install spec and no code files, so nothing is written to disk by an installer. That reduces install-time risk.
Credentials: concernOnly NEMO_TOKEN is required, which is proportionate for a cloud editing service. But the frontmatter's inclusion of a config path (~/.config/nemovideo/) is inconsistent with the registry metadata and could imply reading local config if implemented. Also, the skill will use an environment token if present; consider whether you want to expose a long-lived token in the agent environment.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and has no install-time persistence. It can be invoked autonomously by the agent (default behavior), which is expected for skills of this type.