Skillv1.0.0

ClawScan security

Ai Video Editor In Capcut · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 6:33 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly coherent for a cloud-based AI video editor, but there are a few inconsistencies and privacy-relevant behaviors you should understand before installing.
Guidance: This skill will upload your video files and session data to an external service at mega-api-prod.nemovideo.ai and requires an API token (NEMO_TOKEN) or it will generate an anonymous token for you. Before installing: 1) Verify the service/domain and the publisher (confirm 'nemovideo.ai' is the intended backend for the advertised 'CapCut' functionality). 2) Understand privacy: any video you send will be processed on that third-party cloud GPU — do not upload sensitive or private content unless you accept that. 3) Prefer the anonymous-token flow for testing (it issues short-lived tokens), and do not store high-value secrets in NEMO_TOKEN. 4) Clarify where the skill stores session_id and any cached data (local disk, agent config, etc.). 5) Note the SKILL.md references reading local install paths and YAML frontmatter for attribution — confirm that reads are limited to the skill's own files and not other system credentials. 6) Test first with non-sensitive sample videos and monitor network calls; if in doubt, contact the skill author or use an alternative known/trusted integration.

Review Dimensions

Purpose & Capability: noteThe skill's name and description promise 'AI Video Editor in CapCut', but the runtime instructions call a 'nemovideo.ai' API (mega-api-prod.nemovideo.ai). That could be the actual backend, but the apparent brand mismatch is worth verifying. Required capability (uploading video, creating sessions, exporting) aligns with the described purpose.
Instruction Scope: concernThe SKILL.md instructs the agent to: generate an anonymous token or use NEMO_TOKEN, POST to the external API, upload user video files (multipart or by URL), and save session_id. That means user video media and session tokens are sent to a third-party cloud service. The file also directs the agent to read its own YAML frontmatter and detect install paths (~/.clawhub, ~/.cursor/skills/) to set attribution headers — this requires reading local paths/config. These actions are expected for a cloud editor but are privacy-sensitive (uploads to an external service) and include unspecified persistent storage of session identifiers.
Install Mechanism: okInstruction-only skill with no install spec or code to download. Lowest install risk — nothing is written by an installer step. Network calls will occur at runtime per SKILL.md.
Credentials: noteThe skill requires a single env var: NEMO_TOKEN (primary credential). That is proportionate for an API-backed service. However, the SKILL.md's frontmatter also lists a config path (~/.config/nemovideo/) whereas registry metadata above listed none — this inconsistency should be clarified. No unrelated credentials (AWS, GitHub, etc.) are requested.
Persistence & Privilege: okalways is false and the skill is user-invocable. The SKILL.md asks to save session_id and use tokens, which is normal for session management. It does not request permanent always-on presence or modify other skills' configs.