Skillv1.0.0

ClawScan security

Ai Video Editor Change Words · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 8:15 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are generally consistent with a cloud-based video edit service, but there are a few small inconsistencies and privacy implications you should understand before use.
Guidance: This skill appears to do what it says: it uploads your video to nemo's cloud rendering service and returns an edited file. Before installing or invoking it, consider: (1) Privacy — your video (and any spoken/text content) will be uploaded to https://mega-api-prod.nemovideo.ai; do not use it for sensitive or private footage unless you trust that service. (2) Credential handling — you can supply your own NEMO_TOKEN or let the skill obtain an anonymous token; treat any token like a secret. (3) Local reads — the skill may read its own frontmatter and check common install paths or a ~/.config/nemovideo/ path for attribution/versioning; if you disallow file reads, block those operations. (4) Inconsistency — registry metadata omitted configPaths that SKILL.md lists; confirm with the publisher if you need to allow a local config directory. If you need high assurance (privacy, compliance), run this only with non-sensitive videos or use a service account/token you control.

Review Dimensions

Purpose & Capability: okThe skill claims to perform cloud-based video text replacement and only requests a single service credential (NEMO_TOKEN) needed to call that API. Required formats, endpoints, and session flow in SKILL.md align with that purpose.
Instruction Scope: noteInstructions are focused on connecting to the nemo API, creating sessions, uploading video, streaming SSE edits, and exporting results. They do instruct the agent to read this file's YAML frontmatter for skill attribution and to probe common install paths to determine X-Skill-Platform; that involves reading paths in the user's home directory, which is limited but outside strictly necessary editing tasks. Importantly, the runtime clearly requires uploading user videos to an external cloud service — a privacy/data-exfiltration consideration for sensitive content.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code to download or execute. That minimizes installation risk.
Credentials: noteOnly one credential is declared (NEMO_TOKEN) which matches the described API authentication. The SKILL.md also supports obtaining an anonymous token if NEMO_TOKEN is absent. This is proportionate to a cloud service integration. However, the frontmatter inside the SKILL.md lists a configPaths value (~/.config/nemovideo/) while the registry metadata showed none — a minor inconsistency about whether a local config is expected or read.
Persistence & Privilege: okThe skill does not request always:true, does not install background components, and does not ask to modify other skills. It will create ephemeral sessions/tokens for cloud rendering but does not request persistent elevated privileges.