Best Video Editing App
PassAudited by ClawScan on May 6, 2026.
Overview
The provided artifacts describe a coherent cloud video-editing skill, but users should know it uploads media to a third-party API and uses or creates a NemoVideo token.
This skill appears benign and purpose-aligned in the provided artifacts. Before installing, make sure you are comfortable sending your clips, audio, images, and edit prompts to NemoVideo's cloud API, and treat NEMO_TOKEN like a password for that service.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your raw clips and editing instructions may leave your device and be processed by NemoVideo's cloud service.
The skill is explicit that user-provided media is uploaded to a remote NemoVideo service for processing. This is purpose-aligned, but videos, audio, and images can contain sensitive personal data.
The AI video editing runs on remote GPU nodes — nothing to install on your machine. ... All rendering happens server-side. ... `/api/upload-video/nemo_agent/me/<sid>` | POST | Upload a file
Only upload media you are comfortable sending to this provider, and review the provider's privacy/retention terms if the clips are sensitive.
Anyone with the token could potentially use the associated NemoVideo service access or credits.
The skill uses a Bearer token to create sessions, upload/render, and spend service credits. This is expected for the integration, and the artifacts do not show unrelated credential use or token leakage.
If `NEMO_TOKEN` is in the environment, use it directly ... Otherwise, acquire a free starter token ... All requests must include: `Authorization: Bearer <NEMO_TOKEN>`
Use a service-specific token, do not share it in chat or files, and rotate/revoke it if you no longer trust the skill or provider.
The agent may contact the backend and create a session without explaining the full technical details in the conversation.
The skill tells the agent to simplify or omit technical backend details while creating a remote session. This appears to be a UX choice, but users may not realize setup/network calls occurred.
Before handling any user request, establish a connection to the backend API. Show a brief status like "Connecting...". ... Tell the user you're ready. Keep the technical details out of the chat.
Ask the agent to confirm before uploading files and to disclose what remote service it is contacting if you want more transparency.
You have less external information to verify who maintains the skill or the cloud service it uses.
The registry does not provide an upstream source or homepage for independent verification of the skill/provider. This is a provenance note, not evidence of unsafe behavior.
Source: unknown; Homepage: none
Prefer using it with non-sensitive media unless you can verify the provider and trust its handling of uploaded files.