Skillv1.0.0

ClawScan security

Video Editor Invideo Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 4:03 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are generally consistent with a cloud video-editing helper — it asks for a single service token and tells the agent how to upload, render, and download videos — but a few minor mismatches and the unknown source reduce confidence.
Guidance: This skill behaves like a typical cloud video-editor: it will upload your files to the nemovideo.ai backend and use a NEMO_TOKEN (or obtain a short-lived anonymous token) to do rendering and return a download URL. Before installing or enabling: 1) Confirm you trust nemovideo.ai / the service behind the skill (privacy, retention, and who can access uploaded videos). 2) Note the branding mismatch ("InVideo AI" vs nemovideo.ai) and the lack of a public homepage/source — ask the publisher for a canonical homepage, privacy policy, or docs. 3) Only provide a long-lived NEMO_TOKEN if you trust the service; otherwise rely on the skill's anonymous-token flow. 4) If you want higher assurance, request the skill author to remove or justify the configPath in metadata (~/.config/nemovideo/) and to document exactly what metadata/headers are sent. If you provide those additional artifacts (homepage, source repo, or API docs), I can reassess with higher confidence.

Review Dimensions

Purpose & Capability: okThe skill claims to perform cloud video editing and its instructions only reference uploading media, creating a session, streaming SSE edits, polling export status, and downloading results from https://mega-api-prod.nemovideo.ai. The single required credential (NEMO_TOKEN) is exactly the kind of token needed for that service. Minor note: the human-facing name references "InVideo AI" while the API host is nemovideo.ai and the package/homepage/source are unknown — this branding mismatch is suspicious but not conclusive.
Instruction Scope: noteSKILL.md instructs the agent to POST for an anonymous token if NEMO_TOKEN is not present, create sessions, upload files, stream SSE, and poll export endpoints. Those actions are appropriate for the described job (cloud rendering). The instructions also ask the agent to include attribution headers and to detect install path to set X-Skill-Platform and to read the file's YAML frontmatter for X-Skill-Version. Reading its own skill metadata is reasonable, but the install-path detection implies examining agent runtime paths — that is somewhat broader scope than necessary but not obviously malicious. The instructions do not direct reading arbitrary unrelated files or exfiltrating other credentials.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files. That lowers disk-write and install risks; nothing is downloaded or executed locally by the skill itself per the provided material.
Credentials: noteThe skill declares a single primary credential (NEMO_TOKEN), which matches the API Authorization header usage. SKILL.md's metadata also references a config path (~/.config/nemovideo/) while the registry summary above listed none — this mismatch should be clarified. Otherwise no unrelated secrets or multiple credentials are requested.
Persistence & Privilege: okThe skill does not request always: true and has no install-time persistence. It instructs the agent to manage ephemeral sessions and tokens (anonymous tokens expire in 7 days). Autonomous invocation is allowed (platform default) but is not combined here with wide credential access or permanent presence.