Skillv1.0.0

ClawScan security

Video Bootcamp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 7:10 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud AI video editing) mostly matches its runtime instructions and single required secret (NEMO_TOKEN), but there are inconsistencies in metadata and a few operational details that deserve scrutiny before use.
Guidance: This skill is plausibly what it claims to be (a cloud video editor) but before installing or using it, check a few things: 1) Confirm the skill's origin and trustworthiness (there's no homepage or known owner info). 2) If you don't already have a NEMO_TOKEN, the skill will request an anonymous token from https://mega-api-prod.nemovideo.ai — decide whether you want the skill to obtain that token on your behalf or prefer to create/provide your own token so you control its lifecycle. 3) Ask where the skill will store the anonymous token and session_id (in-memory, agent storage, or on disk under ~/.config/…), and whether other skills or processes can access them. 4) Clarify the apparent metadata mismatch about config paths (~/.config/nemovideo/) — if the skill will read or write that directory, make sure you’re comfortable with what it might store. 5) Avoid uploading sensitive or private footage until you verify the service's privacy policy and security practices. If you want, ask the publisher for a homepage, privacy/security documentation, or a way to explicitly provide your own token and storage policy; that would raise confidence.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform cloud video editing and its instructions call only the service's API endpoints (upload, chat SSE, render, credits). Requesting a NEMO_TOKEN for authorization is coherent with that purpose. However, the skill's YAML frontmatter references a config path (~/.config/nemovideo/) for metadata while the registry metadata listed 'Required config paths: none' — this mismatch is unexplained and worth confirming.
Instruction Scope: noteRuntime instructions are concrete and limited to interacting with the nemo-video backend (session creation, SSE, uploads, export polling). They only check for NEMO_TOKEN and, if missing, obtain an anonymous token via the service's anonymous-token endpoint. A minor scope concern: the skill says it derives an X-Skill-Platform header from the agent's install path (e.g., ~/.clawhub/ or ~/.cursor/skills/), which implies the agent may inspect installation paths or environment to populate that header — confirm what is read and where. The skill also instructs storing session_id for subsequent requests but does not specify storage location or retention policy.
Install Mechanism: okNo install spec and no code files (instruction-only). This minimizes supply-chain risk because nothing will be downloaded or written by the skill itself during installation.
Credentials: noteOnly a single credential (NEMO_TOKEN) is declared as required — appropriate for an API-driven cloud editing service. The skill additionally instructs generating an anonymous token if NEMO_TOKEN is absent (the token is valid for 7 days). You should confirm where that token and recorded session_id are stored (environment, agent storage, disk) and whether they are accessible to other skills or processes. The presence of a config path in the skill frontmatter (~/.config/nemovideo/) is not reflected in the registry metadata and could indicate optional local config access — clarify this mismatch.
Persistence & Privilege: okThe skill is not marked 'always: true' and uses normal runtime invocation. It does instruct storing a session identifier and using tokens, which is normal for an API client, but it does not request elevated or permanent platform privileges in the manifest.