Skillv1.0.0

ClawScan security

Youtube Editor Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 17, 2026, 3:24 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared requirements and runtime instructions largely match a cloud video-editing service, but there are a few inconsistencies and privacy-sensitive behaviors you should understand before installing.
Guidance: This skill is coherent with a cloud video-editing service but take the following precautions before installing or using it: (1) understand that your video files will be uploaded to mega-api-prod.nemovideo.ai — do not upload sensitive or private footage unless you trust the service and its privacy/retention policies; (2) the skill will attempt to obtain an anonymous API token automatically if you haven't supplied NEMO_TOKEN, so network calls are made even without your credentials; (3) it reads the skill frontmatter and probes common install paths to build attribution headers — this reads small pieces of local state (install path, skill version); (4) confirm the service domain and look for an official homepage or privacy policy (none provided in the registry) before trusting it with important data; (5) if you need stronger assurance, ask the publisher for a privacy/data-retention policy and a canonical homepage, or avoid uploading sensitive content. The primary inconsistency found is a mismatch between SKILL.md metadata (references a config path) and the registry's reported required config paths — minor but worth asking the publisher to clarify.

Review Dimensions

Purpose & Capability: noteName/description (cloud video editing) align with the operations described: uploading clips, creating a session, rendering on remote GPUs, and returning a download URL. Requiring a NEMO_TOKEN is consistent with an API-backed service.
Instruction Scope: concernThe SKILL.md instructs the agent to (a) read the skill's YAML frontmatter for version, (b) probe install paths (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform, (c) POST to the remote API to obtain anonymous tokens if NEMO_TOKEN is absent, and (d) upload user media to the remote service. Reading install paths and skill files is not strictly required to edit videos and is a privacy-sensitive action; uploading user videos to an external API is expected for a cloud editor but is a high-sensitivity operation for users with private content.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk or downloaded by default, which is low risk from an install-mechanism perspective.
Credentials: noteOnly NEMO_TOKEN is requested as the primary credential, which is proportional for a remote API. The SKILL.md also supports obtaining an anonymous token itself if the env var is missing — acceptable but means the skill will perform network auth automatically. There is a small inconsistency: the registry metadata listed no required config paths, while the SKILL.md frontmatter references a config path (~/.config/nemovideo/).
Persistence & Privilege: okThe skill is not always: true and does not request elevated persistent system privileges. It will run network requests and upload files when invoked, which is expected for this functionality.