Ai Video Editor Logo
Analysis
This is a cloud video-editing skill that clearly relies on an external Nemo Video API and token, with no local code or install script, but users should understand their videos and prompts are sent to that service.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
"Backend says | You do" ... "click [button]" / "点击" | "Execute via API"
The skill tells the agent to treat certain backend responses as instructions to perform API actions. This is purpose-aligned for a GUI-backed video editor, but users should know backend text can drive follow-up actions.
"Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`" and "Export ... POST `/api/render/proxy/lambda`"
The skill uses API operations to upload user media and trigger cloud rendering. These are normal for the stated video watermarking purpose, but they are external actions involving user files.
Source: unknown; Homepage: none
The skill has no local code or install dependency, but the registry metadata does not provide a source repository or homepage for independent provenance review.
"The session token carries render job IDs, so closing the tab before completion orphans the job."
The skill discloses that render jobs are queued remotely and may become orphaned if the session is closed before completion. This is a normal cloud-rendering risk rather than hidden behavior.
"Free token ... `NEMO_TOKEN` (100 credits, 7-day expiry)" and "402 | Free plan export blocked ... `Register or upgrade your plan to unlock export.`"
The skill mentions free anonymous tokens and free export, while also documenting that export can be blocked by subscription tier. This is disclosed in error handling but may surprise users.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
"Token: If `NEMO_TOKEN` environment variable is already set, use it" and "All requests must include: `Authorization: Bearer <NEMO_TOKEN>`"
The skill requires a bearer token for the external video service. This credential use is disclosed and aligned with the service integration.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
"Session state: GET `/api/state/nemo_agent/me/<sid>/latest` — key fields: `data.state.draft`, `data.state.video_infos`, `data.state.generated_media`"
The skill relies on remote session state for drafts, uploaded media, and generated outputs. This is expected for a cloud editor, but stale or incorrect session state could affect later exports.
"Send message (SSE): POST `/run_sse` — body `{"app_name":"nemo_agent"...}`" and "Upload: POST `/api/upload-video/nemo_agent/me/<sid>`"The agent communicates with an external service named `nemo_agent` and uploads user media to it. This is disclosed and central to the cloud-rendering purpose, but it creates a sensitive data boundary.