Skillv1.0.0

ClawScan security

Video Editor Highlight · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 6:26 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video highlight extraction) aligns with most of its instructions, but there are mismatches and a few scope signals you should review before installing: an inconsistent config-path declaration, automatic anonymous token creation, and an unknown external API domain that will receive user-uploaded video.
Guidance: This skill appears to do what it says (upload your video to a cloud backend and return highlight reels), but review a few things before enabling it: 1) The service endpoint (mega-api-prod.nemovideo.ai) is an external domain — any video you upload will leave your machine and be processed there. Don’t upload sensitive footage without a privacy policy and terms you trust. 2) The skill will accept or create a NEMO_TOKEN (it can generate an anonymous token itself). Prefer providing an ephemeral or limited-scope token rather than a long-lived credential. 3) The SKILL.md frontmatter references a local config path (~/.config/nemovideo/) but the registry metadata did not — ask the author whether the skill will read/write that directory; do not grant file-access permissions you are uncomfortable with. 4) There is no source/homepage listed; request the skill’s source or documentation (and review the provider’s privacy/security policies) before installing. If you proceed, test with non-sensitive sample videos and a throwaway token first.

Review Dimensions

Purpose & Capability: okName/description (video highlight extraction) matches the runtime instructions: uploading videos, creating sessions, rendering and returning MP4s. The single declared credential (NEMO_TOKEN) is appropriate for a cloud processing backend.
Instruction Scope: noteInstructions stay largely within the stated purpose (upload files, stream SSE, poll status, start renders). They also include steps to auto-request an anonymous token if NEMO_TOKEN is absent and to keep a session_id for operations. Nothing in SKILL.md directs reading arbitrary system files, but the frontmatter asks for configPaths (~/.config/nemovideo/) which could imply local config access; this is inconsistent with the registry metadata that listed no required config paths.
Install Mechanism: okNo install spec and no code files (instruction-only). This is low-risk from a write-to-disk/install perspective.
Credentials: noteOnly one env var is requested (NEMO_TOKEN), which matches the backend auth model. The skill also instructs how to obtain an anonymous token via the service's /api/auth/anonymous-token endpoint if the env var is missing — this is plausible but means the skill can operate without the user's own key. The SKILL.md frontmatter also mentions a config path (~/.config/nemovideo/), which increases the scope of required access if implemented; registry metadata did not declare this path, so this mismatch should be clarified.
Persistence & Privilege: okalways:false and user-invocable:true. The skill only keeps a per-session session_id in memory for operations; there is no install-time persistence declared. There is no indication it will modify other skills or system settings.