Skillv1.0.0

ClawScan security

Best Free Ai Video Editor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 1:04 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with a remote AI video-editing service and only needs a service token to operate, but there are small metadata/instruction inconsistencies you should be aware of before installing.
Guidance: This skill appears to be what it claims: a client for a remote AI video-editing service. Before installing, confirm you trust the remote host (mega-api-prod.nemovideo.ai) because uploaded videos and audio will be transmitted and processed there. Note the skill needs a NEMO_TOKEN (or it will create a short-lived anonymous token), and SKILL.md asks the agent to read the skill frontmatter and detect its install path to populate attribution headers. There is a small metadata mismatch: the frontmatter lists a config path (~/.config/nemovideo/) while registry metadata did not — ask the publisher to clarify if the skill will read or write that path. If you will upload sensitive media, review the service's privacy/terms and avoid supplying long‑lived secrets unless you trust the provider. If anything about the domain, headers, or token handling looks unfamiliar, do not enable the skill until you verify the provider.

Review Dimensions

Purpose & Capability: okThe name/description match the runtime instructions: the skill routes user uploads and editing commands to a remote nemo video API and requires a NEMO_TOKEN for authorization. Requiring a token to call a cloud rendering API is expected.
Instruction Scope: okSKILL.md gives detailed, bounded instructions for session creation, uploads, SSE handling, polling, and exports. The instructions do not ask the agent to read unrelated system files or other credentials, but they do instruct the agent to read the skill's frontmatter and detect install path to populate attribution headers (X-Skill-Platform). That detection is reasonable for attribution but should be noted as an extra runtime action.
Install Mechanism: okThere is no install spec and no code files — instruction-only skills have the lowest install risk. Nothing is downloaded or written to disk by the skill itself.
Credentials: noteThe skill only requires a single credential (NEMO_TOKEN), which is proportionate for a remote API. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata listed none; this metadata inconsistency should be resolved. The skill can also generate an anonymous token via the public API if no token is provided, so it does not strictly require a long-lived secret.
Persistence & Privilege: okalways:false and no installs; the skill does not request permanent system presence or elevated privileges. Autonomous invocation is allowed (platform default) but not combined with other high-risk factors.