Back to skill
Skillv1.0.0
ClawScan security
Video Editing With Claude · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 21, 2026, 6:31 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's behavior (uploading user videos to an external API and using/creating a NEMO token) matches its stated purpose, but there are inconsistencies and a few instructions that ask the agent to read local paths/install locations that are unnecessary for basic editing — you should verify those before installing.
- Guidance
- This skill will upload your videos and metadata to an external service (mega-api-prod.nemovideo.ai) and needs a NEMO_TOKEN (or can obtain a short-lived anonymous token). Before installing or invoking it: (1) Verify the service domain and privacy/retention policy for uploaded media; (2) Prefer using an anonymous token or a limited-scope token rather than a long-lived secret; (3) Ask the skill author to explain why the agent must read ~/.config/nemovideo/ and detect install paths — if not required, request those actions be removed; (4) Do not provide other unrelated credentials; (5) If you are concerned about local path reads, avoid running the skill in environments with sensitive files in your home directory. The primary inconsistency to resolve is the mismatch between registry metadata (no config paths) and the SKILL.md frontmatter (lists ~/.config/nemovideo/ and install-path detection). Clarifying that will reduce the remaining risk.
Review Dimensions
- Purpose & Capability
- noteThe skill name/description (AI cloud video editing) aligns with the required credential (NEMO_TOKEN) and the API endpoints described. Requiring a token to call a cloud render API is expected. However, the SKILL.md frontmatter also references a config path (~/.config/nemovideo/) and install-path detection for attribution headers — those are not justified by the simple description and are inconsistent with the registry metadata that lists no required config paths.
- Instruction Scope
- concernInstructions explicitly direct the agent to: generate anonymous tokens (network POST), upload user video files to mega-api-prod.nemovideo.ai, maintain session_id, stream SSE, and poll render endpoints — all expected for a cloud edit workflow. But the runtime instructions also tell the agent to read the skill file's YAML frontmatter and detect the agent's install path (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform, and mention a config directory (~/.config/nemovideo/). Reading arbitrary user file-system locations (to detect install path or read configuration) is outside the minimal needs for editing and increases the scope of access the agent will use.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). This minimizes installation risk because nothing is downloaded or written to disk by an installer.
- Credentials
- noteOnly NEMO_TOKEN is declared as required, which is appropriate for a third-party cloud API. The SKILL.md frontmatter, however, also lists a config path (~/.config/nemovideo/) in metadata, implying the agent may read local config files in addition to the env var; that extra access is not explained and should be clarified.
- Persistence & Privilege
- okThe skill is not always-on, is user-invocable, and uses session tokens for job state. It asks to save a session_id (ephemeral) and poll job status — normal for a cloud-render workflow. There is no indication it modifies other skills or requests broad persistent privileges.