Skillv1.0.0

ClawScan security

Ai Video Editor Download Apk · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 8:06 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions generally match a cloud video-editing service (it uploads videos and requests a service token), but there are metadata/name mismatches and it will send user video files and generated tokens to an external, unverified endpoint — you should review privacy and provenance before using it.
Guidance: This skill will upload your video files and use a token to a third-party API (mega-api-prod.nemovideo.ai). Before installing or invoking it: 1) Confirm the service provider and privacy policy — do you trust that host with your videos? 2) Note the name mismatch ('APK') and missing homepage/source — lack of provenance is a red flag. 3) Understand that if you don't provide NEMO_TOKEN the skill will create an anonymous token (generates a client UUID and exchanges it for a short-lived token) and that token is used for requests; consider whether you want ephemeral credentials created this way. 4) If you have sensitive content, avoid uploading until you verify the domain and operator. 5) If you proceed, monitor outbound requests and prefer to run this only with explicit user consent for each upload. If you can, contact the skill author or prefer a vendor with a clear homepage and documented security/privacy terms.

Review Dimensions

Purpose & Capability: noteThe SKILL.md clearly implements a cloud video-editing workflow (upload, SSE conversation, render/export) and requires a single service token (NEMO_TOKEN) which is consistent with the stated editing/export purpose. However the skill name ('Ai Video Editor Download Apk') and public metadata are misleading: the name suggests an APK or installer when the instructions only describe a cloud API for video processing. Also the registry metadata reported no required config paths while the SKILL.md frontmatter mentions a config path (~/.config/nemovideo/). These mismatches reduce confidence in provenance/documentation.
Instruction Scope: concernThe instructions direct the agent to upload user video files and session data to an external API (https://mega-api-prod.nemovideo.ai). That is expected for a cloud editor, but it means user content (potentially sensitive videos) will be transmitted to an unverified third party. The SKILL.md also instructs generating anonymous tokens and using them as NEMO_TOKEN if none is present, which could fingerprint the agent (UUID X-Client-Id) and create short-lived credentials. There are no instructions to access unrelated local files or secrets, but the skill does derive headers from install paths and frontmatter (it may need to inspect install path), so it could read limited local state to set X-Skill-Platform.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing will be downloaded or written by an installer. That lowers risk from supply-chain installs.
Credentials: noteOnly one credential is declared (NEMO_TOKEN), which is directly used for API auth and is proportionate. The SKILL.md includes a flow to obtain an anonymous token if none is present, so it does not strictly require a pre-provisioned secret. The frontmatter's configPaths entry (~/.config/nemovideo/) is present in the file but the registry metadata earlier claimed no required config paths — an inconsistency worth verifying.
Persistence & Privilege: okalways:false and default model invocation settings are used. The skill does not request persistent system-level privileges or modifications to other skills. It does not ask to enable itself everywhere.