Skillv1.0.0

ClawScan security

Video Auto Editing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 6:10 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly behaves like a video editing frontend that uploads footage to an external rendering service, but there are small inconsistencies and some runtime behavior (reading install paths / optional config paths and contacting an external API to mint tokens) that the user should understand before installing.
Guidance: This skill will upload your raw video files to a third‑party cloud service (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN (or will request an anonymous token from that service). Before installing: 1) confirm you trust the nemo service and its privacy/retention policy for video content; 2) prefer using a short‑lived or anonymous token instead of pasting a long-lived credential you reuse elsewhere; 3) be aware the skill's runtime may check your home folders (it detects install paths like ~/.clawhub/ and ~/.cursor/skills/) to populate attribution headers — that is a small privacy surface you may want to avoid; 4) note the SKILL.md metadata lists a config path (~/.config/nemovideo/) although the registry did not — ask the publisher which files (if any) will be read. If any of these points worry you, don't install or provide credentials until the publisher clarifies.

Review Dimensions

Purpose & Capability: noteName/description (auto video editing) matches the actions described (upload, SSE editing, export). Requesting a single service credential (NEMO_TOKEN) is appropriate. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) and runtime logic to detect install paths (~/.clawhub/, ~/.cursor/skills/) while the registry metadata lists no required config paths — this mismatch is an incoherence to be aware of.
Instruction Scope: concernThe SKILL.md instructs the agent to (a) contact an external API (mega-api-prod.nemovideo.ai) for session creation, SSE streaming, uploads, and rendering; (b) upload user video files (multipart or URL); and (c) detect the skill install path to populate X-Skill-Platform header. Detecting install path requires reading the user's home filesystem. All of these are consistent with a cloud editing service, but the filesystem check is privacy-sensitive and broader than purely editing functionality.
Install Mechanism: okThis is an instruction-only skill with no install spec and no bundled code — lowest install risk. Nothing will be written to disk by an installer step in the skill package itself.
Credentials: noteThe skill declares a single primary env var (NEMO_TOKEN), which fits a cloud API integration. The agent will also obtain an anonymous token from the service if NEMO_TOKEN is absent. That behavior is reasonable but means network calls will be able to obtain transient credentials; users should not supply a long-lived or highly-privileged token unless they trust the service. The SKILL.md references configPaths in metadata that the registry did not list — unclear if the skill will try to read those paths.
Persistence & Privilege: okalways:false and normal model invocation settings. The skill does not request permanent inclusion or to modify other skills. No elevated persistence or privileges declared.