Skillv1.0.0

ClawScan security

Free Video Editor App · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 8:49 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared requirements and runtime instructions are consistent with a cloud-based video editing integration; nothing requested is disproportionate, though there are minor metadata inconsistencies and normal privacy considerations when uploading files to an external service.
Guidance: This skill appears to do what it claims: it uploads videos to a remote render API and returns edited MP4s. Before installing, consider: 1) Any files you send will be uploaded to https://mega-api-prod.nemovideo.ai — do not send private or sensitive footage you wouldn't want stored/processed offsite. 2) NEMO_TOKEN (if set) will be used for all requests — treat it like a service credential; use an ephemeral/limited token if possible. 3) SKILL.md metadata mentions a config path (~/.config/nemovideo/) even though the registry metadata did not — confirm with the publisher whether any local config is actually read or written. 4) Because this is an instruction-only skill with no homepage or publisher info, you may want to verify the service's privacy/terms and test with non-sensitive media first. If you want, I can draft questions to ask the publisher or help you test the skill safely.

Review Dimensions

Purpose & Capability: okName and description describe cloud video editing; the only declared credential (NEMO_TOKEN) and the APIs referenced (session, upload, render) are coherent with that purpose. No unrelated binaries or unrelated cloud credentials are requested.
Instruction Scope: noteSKILL.md instructs the agent to create/consume session tokens, upload local files (multipart file upload or URL), send messages via SSE, and poll export status — all expected for a remote render service. It also instructs generating an anonymous token if NEMO_TOKEN is absent. Be aware that uploads send user files to the nemovideo.ai endpoints; the docs tell the agent to include attribution headers and the auth token on every request. The skill does not instruct reading arbitrary unrelated files or secrets beyond NEMO_TOKEN, but it does reference saving session_id/state (runtime state) which is normal.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written to disk by an installer in the metadata.
Credentials: okOnly NEMO_TOKEN is required (and SKILL.md describes generating an ephemeral anonymous token if absent). That credential is proportional to a remote API-driven video editing service. No other secrets or unrelated environment variables are requested.
Persistence & Privilege: okSkill is not force-included (always:false) and uses the normal autonomous invocation default. It does not request elevated platform-wide persistence or modify other skills. Saving session_id/state is typical for API sessions.