Skillv1.0.0

ClawScan security

Video Editing Ke Liye Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 8:07 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill appears internally consistent with its stated purpose: it uploads user video files to a remote editing API and requires a single service token (NEMO_TOKEN); there are no unrelated credentials or install steps requested.
Guidance: This skill uploads your video files and uses a NEMO_TOKEN (or an anonymous token the skill can request) to send jobs to mega-api-prod.nemovideo.ai. Before installing or using it, confirm you trust that remote service and are comfortable uploading the footage you provide (don’t upload sensitive or private material if you’re unsure). Note that the skill may inspect install/config paths to set an attribution header — if you prefer not to disclose local paths, avoid granting the agent filesystem access or ask the skill not to include X-Skill-Platform. If you want stronger safety, verify the service’s privacy/retention policy and consider using short-lived anonymous tokens rather than long-lived credentials.

Review Dimensions

Purpose & Capability: okThe name/description (AI video editing) lines up with the runtime instructions and the single required environment variable (NEMO_TOKEN). The declared config path (~/.config/nemovideo/) and the API endpoints in SKILL.md are coherent for a cloud-based video processing service.
Instruction Scope: noteInstructions direct the agent to authenticate (use NEMO_TOKEN or obtain an anonymous token), upload videos, drive an SSE-based editing session, poll state, and fetch export URLs — all within the mega-api-prod.nemovideo.ai domain. One minor scope note: the skill asks the agent to derive an attribution header (X-Skill-Platform) from the install path (~/.clawhub/, ~/.cursor/skills/). That requires checking local install paths/config, which is slightly privacy-intrusive but not disproportionate to the claimed purpose.
Install Mechanism: okThere is no install spec or code to download — the skill is instruction-only, which minimizes installation risk (nothing is written to disk by the skill package itself).
Credentials: okOnly one credential (NEMO_TOKEN) is required and documented as the primary credential. The SKILL.md also documents a public anonymous-token flow for short-lived tokens. No unrelated credentials, secret patterns, or broad environment access are requested.
Persistence & Privilege: okThe skill does not request always: true and does not ask to modify other skills or system-wide settings. It runs remotely and requires an API token for access; autonomous invocation is allowed by default but is not combined with other red flags.