Skillv1.0.0

ClawScan security

Video Editor In Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 7:16 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a cloud-based AI video editor, but there are small incoherencies (a config-path requirement present in the skill frontmatter but not in the registry metadata) and a few operational choices that merit user confirmation before use (automatic backend connection, anonymous token issuance, and uploading videos to an external service).
Guidance: This skill appears to implement a cloud-based video editor that uploads user media to mega-api-prod.nemovideo.ai and uses a single token (NEMO_TOKEN) or an anonymous token it can obtain for you. Before installing or using it, consider: 1) Privacy: your videos will be uploaded to a third-party service — do not use this with sensitive footage unless you trust the service and have read its privacy/retention policy. 2) Tokens/storage: the skill may create and store an anonymous token and session_id locally or in agent storage — ask where those are persisted and how long they live. 3) Metadata mismatch: the SKILL.md frontmatter references a local config path (~/.config/nemovideo/) while the registry metadata did not — ask the developer why the skill might read that path. 4) Consent: the skill says it 'connects automatically' on first open; confirm whether it will wait for your explicit consent before uploading files. If these points are answered acceptably (especially storage/retention and the config-path question), the skill's behavior is largely coherent with its stated purpose.

Review Dimensions

Purpose & Capability: noteThe name/description align with the instructions to upload videos to a cloud rendering backend (nemovideo.ai) and request a single env var NEMO_TOKEN. That's coherent for a cloud video editor. However, the SKILL.md frontmatter lists a required config path (~/.config/nemovideo/) while registry metadata reported no required config paths — this mismatch is unexplained and should be clarified.
Instruction Scope: noteInstructions stay within the editor use-case (create session, upload video, SSE edits, export). They instruct the agent to auto-connect on first open and to obtain an anonymous token if NEMO_TOKEN is not present. The skill also instructs storing session_id and token for subsequent requests but does not specify storage location or retention. The workflow involves uploading user media to a third‑party cloud service — expected for the purpose but privacy-impacting; the skill does not explicitly require asking the user for separate consent before establishing the backend session (it says 'connect ... automatically').
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. This is the lowest installer risk.
Credentials: noteOnly NEMO_TOKEN is declared as the primary environment credential, which is consistent with the service. The skill will generate an anonymous token if none is present (so providing a secret token is optional). The unexplained frontmatter config path (~/.config/nemovideo/) suggests potential local config access, which is not justified elsewhere in the doc — that discrepancy is concerning and should be clarified.
Persistence & Privilege: okThe skill does not request persistent 'always' execution and does not modify other skills. It does instruct storing session tokens/IDs for ongoing requests (normal for a session-based API), but the storage mechanism and retention are unspecified — this is an operational/privacy detail rather than an elevated privilege request.