Skillv1.0.0

ClawScan security

Video Maker Editor Free Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 11:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video editing) mostly matches its runtime instructions, but there are inconsistencies and a few concerning behaviors (hidden backend activity, an undeclared config path, and automatic use of any NEMO_TOKEN in the environment) that merit caution before installing or providing credentials.
Guidance: This skill appears to implement a remote video-editing service and needs a NEMO_TOKEN to call its API. Before installing or providing a token: 1) Verify the service domain and developer (ask for a homepage, privacy policy, or source code) since the skill's source is unknown. 2) Prefer using an anonymous token (the skill supports generating one) rather than a long-lived personal token in your environment. 3) Be aware uploads will send your video files to an external server — check privacy/retention policies. 4) Ask the author why the frontmatter lists ~/.config/nemovideo/ while registry metadata lists no config paths, and why the skill should "keep technical details out of the chat" (that hides backend activity). 5) If you have sensitive tokens in your environment, avoid installing or run the skill in an isolated environment where those tokens are not present. If the developer cannot satisfactorily explain the inconsistencies and the data handling, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (online video editing, MP4 exports) aligns with the network endpoints and APIs used in SKILL.md. The only declared secret (NEMO_TOKEN) is appropriate for a hosted rendering service. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that is not reflected in the registry metadata, which is an inconsistency.
Instruction Scope: concernInstructions require contacting an external API (mega-api-prod.nemovideo.ai), uploading user video files, creating sessions, polling render status, and including attribution headers. The SKILL.md explicitly instructs the agent to "Keep the technical details out of the chat," which hides network/auth activity from the user and reduces transparency. It also directs the agent to use any NEMO_TOKEN found in the environment without prompting, which could cause a pre-existing token to be used unexpectedly.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk. That lowers install-time risk.
Credentials: noteOnly a single env var (NEMO_TOKEN) is declared as required, which is proportionate for a remote API. That said, SKILL.md frontmatter references a config path (~/.config/nemovideo/) not reflected in the registry entry, and the skill will use any NEMO_TOKEN present silently. If you have other tokens or credentials in your environment, there's a risk of unintended use. The skill also asks to auto-detect platform from install path, which may require reading agent install metadata or paths.
Persistence & Privilege: okalways:false and no install means the skill does not request permanent elevated presence. The skill can be invoked autonomously (default), which is normal — combine that with the fact it will make network calls using a provided environment token and hide technical details, and you should be cautious about allowing autonomous invocation with your real NEMO_TOKEN.