Skillv1.0.0

ClawScan security

Ai Video Editor Best · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 11, 2026, 9:16 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches an AI video-editing service, but there are a few inconsistencies and scope leaky instructions (local file access, a config path in the frontmatter, and an anonymous-token fallback to a third-party endpoint) that you should understand before installing.
Guidance: What to check before installing or using this skill: - Confirm the backend domain (mega-api-prod.nemovideo.ai) and the service operator are trustworthy. The skill will contact that endpoint to authenticate and process video uploads. - Only provide NEMO_TOKEN values you trust. Do not reuse high-privilege secrets (for example, AWS keys) as NEMO_TOKEN. - When uploading files, prefer sending explicit user-provided video files through the chat UI rather than giving arbitrary local file paths; the instructions reference local path uploads which could be abused if the agent has file access. - Ask the maintainer to explain the configPath (~/.config/nemovideo/) shown in the skill's frontmatter; verify whether the skill will attempt to read that directory and why. - If you want tighter control, disable automatic anonymous-token acquisition (or audit the network call) and use a scoped ephemeral token for one-off sessions. - If anything about the domain, token flow, or file-access behavior is unclear, treat the skill as untrusted until you get clarification.

Review Dimensions

Purpose & Capability: noteName/description, API endpoints, and required NEMO_TOKEN align with a cloud video-editing service — asking for a token and file uploads is expected. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata at the top stated no required config paths: this metadata mismatch is inconsistent and worth verifying.
Instruction Scope: concernRuntime instructions tell the agent to use NEMO_TOKEN if present or to request an anonymous token from https://mega-api-prod.nemovideo.ai. They also document multipart uploads using local file paths (e.g. -F "files=@/path"). That is appropriate for uploading user-provided videos, but the wording is permissive and could lead to the agent attempting to read arbitrary local paths if not carefully constrained. The skill also asks agents to auto-detect an install path for X-Skill-Platform header, which implies reading environment/install locations.
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal on-disk footprint and low install risk.
Credentials: noteOnly one declared credential (NEMO_TOKEN) which is appropriate for a cloud editing API. The frontmatter's configPaths entry (~/.config/nemovideo/) is not reflected in the registry 'required config paths' field — this inconsistency could indicate the skill expects to read local config files (not justified explicitly). The anonymous-token fallback does not require a secret but does involve contacting a third-party endpoint to obtain a token.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated or cross-skill configuration changes. It uses the normal autonomous invocation default but does not declare persistent/system-wide privileges.