Skillv1.0.0

ClawScan security

Video Help · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 4:46 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud video-editing integration; it asks for a single service token and routes uploads/requests to the declared API, with only minor metadata inconsistencies to clarify.
Guidance: This skill uploads your video files and uses a bearer token (NEMO_TOKEN) to call a third‑party API (mega-api-prod.nemovideo.ai). Before installing: (1) Confirm you trust that external service and are comfortable uploading the videos (privacy/PII concern). (2) Provide a token only if it is specifically for this service; otherwise use the anonymous flow but note anonymous tokens have limited credits and 7‑day expiry. (3) Be aware the skill may read install paths to set an attribution header — if you want to avoid filesystem checks, ask the author to remove that behavior. (4) The SKILL.md frontmatter and registry metadata disagree about a config path and whether the token is strictly required; ask the publisher to clarify those inconsistencies. Overall the skill appears coherent for video editing, but verify privacy, cost/credits, and the origin of any token you provide.

Review Dimensions

Purpose & Capability: okName/description match the behavior in SKILL.md: it uses a remote rendering API, accepts video uploads, starts sessions, streams SSE results, and returns download URLs. Requesting a NEMO_TOKEN for bearer auth is coherent with a cloud video-editing service.
Instruction Scope: noteInstructions are focused on interacting with the nemovideo API (session creation, SSE, upload, export). They require access to user-supplied video files for upload and polling session state. One minor scope detail: headers include an X-Skill-Platform value determined by checking install paths (~/.clawhub/, ~/.cursor/skills/) which implies reading the agent's install filesystem to detect platform — this is plausible but worth noting.
Install Mechanism: okNo install spec or code files are present (instruction-only). Nothing is downloaded or written to disk by an installer; the runtime actions are network calls to the service endpoints.
Credentials: noteOnly a single credential (NEMO_TOKEN) is declared and used for Bearer auth, which is proportionate. Minor inconsistency: the top-level registry metadata lists no required config paths, but the SKILL.md frontmatter includes configPaths: [~/.config/nemovideo/]. Also, the instructions include an anonymous-token flow (POST to /api/auth/anonymous-token) if NEMO_TOKEN is not set, so a token is not strictly required at runtime — the registry claiming NEMO_TOKEN as required could be misleading.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It stores a session_id in runtime state and uses short-lived anonymous tokens or the provided NEMO_TOKEN; it does not request persistent modifications to other skills or global agent settings.