Skillv1.0.0

ClawScan security

Video Clip Maker Youtube · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 5:01 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior largely matches a cloud-based video clip service, but there are inconsistencies and privacy/credential-handling concerns you should review before installing.
Guidance: This skill appears to be a cloud-based video editor that uploads your footage to mega-api-prod.nemovideo.ai. Before installing or using it: 1) Confirm you trust the service domain (look up company, privacy policy, data retention, and deletion). 2) Prefer to supply your own NEMO_TOKEN rather than letting the skill mint an anonymous token automatically. 3) Ask whether the skill writes files or tokens to ~/.config/nemovideo/ and where session tokens/credits are stored; clear any local storage expectations. 4) Be explicit about consent before uploading private or copyrighted video — the skill will send your raw media to a third party. 5) If you need stricter control, avoid using the skill or only test with non-sensitive sample videos. If the owner can provide a verifiable homepage, privacy policy, or a reputable API host (e.g., official domain or documented service), that would raise confidence.

Review Dimensions

Purpose & Capability: noteThe name/description claim to edit and render videos on a remote GPU backend, and the instructions exclusively call out endpoints for uploading, editing, and exporting — that is coherent. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata earlier listed no required config paths; this mismatch could indicate sloppy packaging or hidden local storage behavior.
Instruction Scope: concernThe runtime instructions direct the agent to: contact an external API (mega-api-prod.nemovideo.ai), optionally obtain an anonymous token automatically, create sessions, upload user media (up to 500MB), stream SSE edits, poll renders, and store session IDs. Automatically generating credentials and uploading user video without explicit, informed consent is a privacy risk. The instructions also tell the agent not to display raw API responses or token values to users, which is unusual and reduces transparency.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — nothing will be downloaded or written by an installer step. That lowers supply-chain risk, but does not change the fact that user files are sent to the external service at runtime.
Credentials: noteThe only declared required credential is NEMO_TOKEN, which is appropriate for a third‑party service. However, the skill will attempt to mint an anonymous token itself if NEMO_TOKEN is not provided, which means it can operate without explicit credentials you control. The frontmatter's configPaths entry suggests it may read/write ~/.config/nemovideo/, which was not reflected in the registry summary — this needs clarification.
Persistence & Privilege: noteThe skill is not marked always:true and does not include install scripts, so it does not demand permanent inclusion or elevated platform privileges. Still, it instructs storing session IDs and implies writing config under ~/.config/nemovideo/ (frontmatter) — verify what it writes locally and for what retention period.