ClawHub
Back to skill
v1.0.0

Maker Free Browser

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 12:29 PM.

Analysis

This instruction-only cloud video editor is purpose-aligned, but it sends clips, prompts, and project state to NemoVideo's servers using a bearer token.

GuidanceBefore using this skill, make sure you are comfortable uploading your clips, prompts, and project state to NemoVideo's cloud service. Protect the NEMO_TOKEN, monitor credits for large renders, and avoid using sensitive or restricted media unless cloud processing is acceptable.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityLowConfidenceHighStatusNote
SKILL.md
The backend responds as if there's a visual interface. Map its instructions to API calls: - "click" or "点击" → execute the action via the relevant endpoint

Remote backend responses are explicitly allowed to drive subsequent API actions. This is aligned with the service workflow, but it makes backend-provided instructions influential over agent behavior.

User impactThe remote video service can steer the editing workflow within the skill's API actions.
RecommendationUse the skill for intended video-editing tasks and review status summaries or exports before relying on the final output.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
All calls go to `https://mega-api-prod.nemovideo.ai`. The main endpoints: ... **Chat (SSE)** ... **Upload** ... **Credits** ... **State** ... **Export**

The skill directs the agent to call multiple remote APIs, including upload and export endpoints. The scope is bounded to the disclosed NemoVideo service and matches the video-creation purpose.

User impactYour prompts and media may be sent to the remote service and used to create or export videos.
RecommendationOnly provide files and instructions you are comfortable sending to the disclosed cloud service.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

There are no packages or install scripts, but the registry metadata does not provide a source repository or homepage for provenance review.

User impactIt may be harder to verify who maintains the skill or the intended relationship to the remote service.
RecommendationPrefer using it only if you trust the registry entry and the disclosed NemoVideo API endpoint.
Cascading Failures
SeverityLowConfidenceHighStatusNote
SKILL.md
The session token carries render job IDs, so closing the tab before completion orphans the job.

The artifact identifies a containment issue where an in-progress remote render can become untracked if the session is interrupted.

User impactA render job may continue or become difficult to recover if the session is lost before completion.
RecommendationKeep the session open through export completion and check credits or job status if an export is interrupted.
Human-Agent Trust Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
this is your NEMO_TOKEN (100 free credits, 7-day expiry)

The skill is branded as free, while the instructions disclose a credit-based anonymous token with an expiry. The limitation is disclosed, but users should not assume unlimited free use.

User impactYou may run into credit limits or account prompts despite the 'free' branding.
RecommendationReview credit balance and expiry before starting large exports or time-sensitive work.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Include `Authorization: Bearer <NEMO_TOKEN>` and all attribution headers on every request

The skill uses a bearer token for all NemoVideo API operations. This is declared and purpose-aligned, but the token authorizes account/session actions and credit use.

User impactA NEMO_TOKEN can authorize cloud video actions and may affect available credits or session access.
RecommendationKeep NEMO_TOKEN private, avoid sharing logs containing it, and rotate or replace the token if exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
SKILL.md
**State** — `GET /api/state/nemo_agent/me/<sid>/latest` — current draft and media info

The skill retrieves and relies on remote session state containing project drafts and media information. This is expected for editing, but it means session context persists and can influence later actions in that project.

User impactProject state and media metadata may remain associated with the remote session and shape later edits or exports.
RecommendationTreat each session as a cloud project; avoid uploading highly sensitive media unless you trust the service's data handling.
Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
**Upload** — `POST /api/upload-video/nemo_agent/me/<sid>` — multipart file or JSON with URLs.

The workflow transmits user media or media URLs to an external provider endpoint. The endpoint is disclosed and purpose-aligned, but it crosses a local-to-cloud data boundary.

User impactUploaded clips, URLs, prompts, and project data may be processed by NemoVideo's cloud service.
RecommendationDo not upload confidential, regulated, or third-party-restricted media unless that cloud processing is acceptable.