Video Auto Editing
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent cloud video-editing skill, but it sends selected videos and prompts to NemoVideo and uses a provider token/session.
This looks like a normal cloud video-editing integration rather than a malicious skill. Use it only for footage you are comfortable uploading to NemoVideo, protect your NEMO_TOKEN, and verify the provider/source if the videos are private, confidential, or commercially sensitive.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your selected videos and editing instructions are processed by the NemoVideo cloud service rather than staying local.
The skill clearly sends user media and edit instructions to an external cloud backend for processing. This is central to the purpose, but uploaded videos may contain private or sensitive content.
"This tool takes your raw video footage and runs AI auto editing through a cloud rendering pipeline. You upload, describe what you want, and download the result."
Only upload footage you are comfortable sending to that provider, and check the provider’s privacy/retention terms if the content is sensitive.
Anyone with access to the token may be able to use the associated NemoVideo session or credits.
The skill uses a bearer token for every provider API call. This is expected for the service integration, and the artifact does not show token logging or unrelated use.
"Include `Authorization: Bearer <NEMO_TOKEN>` and all attribution headers on every request"
Keep NEMO_TOKEN private, use a scoped or disposable token when possible, and rotate it if it may have been exposed.
Provider responses may cause the agent to continue editing, query state, or export within the video service without showing every technical step.
The skill instructs the agent to translate some backend responses into provider API actions. That is consistent with replacing a GUI workflow, but it means remote service responses can drive workflow steps.
"Backend says ... `click [button]` ... You do ... Execute via API" and "`Export button` ... Execute export workflow"
Review major actions such as upload and export, and avoid using the skill for content where automatic cloud-side processing would be unacceptable.
It may be harder to independently verify who maintains the skill or the external service it calls.
The registry metadata does not provide a source repository or homepage. There is no installable code in the artifact, but provenance information for the service integration is limited.
"Source: unknown" and "Homepage: none"
Verify the NemoVideo domain and service terms before sending valuable or private media.