Skillv1.0.0

ClawScan security

Video Editor Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 9:06 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video editing) matches most instructions, but there are small inconsistencies and some opaque behavior (token handling, implicit filesystem detection, and missing upstream provenance) that you should review before use.
Guidance: This skill will upload your video files to an external service (mega-api-prod.nemovideo.ai) and uses a bearer token (NEMO_TOKEN) for requests. The skill will auto-request an anonymous token if NEMO_TOKEN is not set, and it may inspect install/config paths to derive an X-Skill-Platform header — the registry entry and SKILL.md disagree about required config paths. Before installing/use: (1) confirm you trust the nemo service and review its privacy/storage policy — your videos will leave your device; (2) verify why the registry metadata omits the config path that appears in SKILL.md; (3) if you have sensitive footage, avoid using this skill until you can confirm data retention/processing practices; (4) consider asking the publisher for a homepage or source code to audit; and (5) be comfortable that the agent will make outbound HTTPS calls to the specified domain and may read installation paths to set headers.

Review Dimensions

Purpose & Capability: noteThe name/description (cloud video editing/export) matches the runtime instructions (upload, create session, render, download). Requiring a NEMO_TOKEN is coherent for a cloud service. Minor mismatch: the registry metadata lists no required config paths, but the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/). That discrepancy is unexplained.
Instruction Scope: noteThe instructions are focused on interacting with the nemo backend (auth, session creation, SSE, upload, render, poll). They instruct the agent to obtain anonymous tokens when NEMO_TOKEN is absent and to keep a session_id in memory. The skill also says X-Skill-Platform is detected from install path (~/.clawhub/, ~/.cursor/skills/), which implies the agent may inspect filesystem/paths — this is more system access than strictly needed for API calls and is not justified in the registry metadata.
Install Mechanism: okNo install spec and no code files — instruction-only. This minimizes disk footprint and install-time risk.
Credentials: noteOnly NEMO_TOKEN is declared as required, which is proportional for a cloud video service. However, SKILL.md documents a fallback that POSTs to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token to obtain a token if none is present. Requiring NEMO_TOKEN while also auto-generating anonymous tokens is inconsistent but not necessarily malicious. No unrelated credentials are requested.
Persistence & Privilege: okalways is false and the skill does not request permanent presence or system-wide config changes. It asks to keep session_id for operations (expected) but does not explicitly instruct writing tokens to disk.