Skillv1.0.0

ClawScan security

Deutsch Video Editing With · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 1:42 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based German-language video editing service; nothing obvious requests unrelated credentials or system resources, but there are small metadata inconsistencies and privacy considerations you should review before using it.
Guidance: This skill appears to be a straightforward connector to a Nemovideo cloud editing API and asks only for a NEMO_TOKEN (or will obtain an anonymous token for you). Before installing or using it, consider: 1) Privacy: any video you upload is sent to the remote service — do not upload sensitive footage without verifying the vendor's privacy/data-retention policy. 2) Tokens: the skill can generate and use an anonymous token if you don't provide one; that gives the service temporary access to operate on your uploaded content. 3) Metadata mismatch: the SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata did not — confirm where tokens/configs will be stored and whether you want that persisted. 4) Endpoint provenance: the skill talks to mega-api-prod.nemovideo.ai — if you do not recognize that provider, verify the service before sending private content. If you only need to try the skill, prefer using a disposable account or throwaway test content first.

Review Dimensions

Purpose & Capability: okThe skill claims to perform cloud GPU video editing and only requests a NEMO_TOKEN (and an associated nemovideo config path in the SKILL.md frontmatter). Those credentials and paths are coherent with delegating rendering/uploading to a remote 'nemovideo' backend.
Instruction Scope: noteSKILL.md gives concrete API workflows (session creation, SSE message stream, upload endpoints, export/polling). The instructions are focused on the remote Nemovideo API and on uploading user-supplied media. It also instructs the agent to auto-generate an anonymous token from the service if NEMO_TOKEN is not present. There are no instructions to read unrelated system files or to transmit other local secrets, but the headers requirement and 'auto-detect install path' mention could implicitly require reading environment/install metadata.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is lower risk from a supply-chain/install perspective.
Credentials: noteOnly NEMO_TOKEN is declared as the primary credential, which is proportional for a cloud video-editing service. The SKILL.md also references a config path (~/.config/nemovideo/) in its frontmatter even though the registry metadata lists no required config paths — that mismatch is inconsistent and worth noting. The skill will also create an anonymous token automatically if NEMO_TOKEN is absent (giving the agent a transient credential it can use).
Persistence & Privilege: okalways:false and no install steps; the skill does not request permanent system-wide privileges or to modify other skills. The main persistence risk is that tokens or session data could be stored under the reported config path if the platform chooses to persist them.