Skillv1.0.0

ClawScan security

Ai Video Editor Edimakor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 4:32 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (cloud AI video editing) aligns with its instructions and only requests a single service token; there are minor metadata inconsistencies to be aware of but nothing that indicates the skill intends to do something other than described.
Guidance: This skill looks coherent for a cloud AI video editor, but consider these practical checks before installing: - Confirm you trust the endpoint domain (mega-api-prod.nemovideo.ai) and the service's privacy policy — you'll be uploading raw video. - The skill needs a NEMO_TOKEN (or it will obtain an anonymous token). Do not paste unrelated secrets into the chat. - Clarify the metadata mismatch: SKILL.md references ~/.config/nemovideo/ for configPaths while the registry showed none — ask the author whether the skill will read that path. - Understand token lifecycle: anonymous tokens expire and carry limited credits; registered accounts may be required for exports. - If you are concerned about automatic filesystem access, ask how X-Skill-Platform is detected (it implies reading an install path). If any of the above is unacceptable (privacy of uploaded media, unknown domain, ambiguous filesystem access), do not install or ask the publisher for clarification first.

Review Dimensions

Purpose & Capability: noteThe name/description describe remote AI video editing and the SKILL.md exclusively details calls to nemovideo API endpoints and upload/render flows — requiring a NEMO_TOKEN is proportionate. Note: the SKILL.md frontmatter lists a configPaths entry (~/.config/nemovideo/) even though the registry metadata shown to the scanner reported no required config paths; this is an internal metadata mismatch that should be clarified but does not by itself indicate malicious intent.
Instruction Scope: noteRuntime instructions are narrowly scoped to creating/refreshing a nemo anonymous token, creating a session, uploading user media, streaming SSE edits, polling render status, and exporting downloads. The skill instructs including attribution headers and detecting an install path to set X-Skill-Platform (this may require reading agent install path or similar runtime metadata). There are no instructions to read arbitrary user files or other credentials. The only potential scope creep is the implied need to inspect an install path to set headers; confirm how that path is determined.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest-risk installation footprint (nothing is written/executed by an install step).
Credentials: okThe skill requires a single service credential (NEMO_TOKEN) which is appropriate for a cloud editing API. The SKILL.md also documents creating anonymous tokens via the API if no token is present (with limited credits/expiry). No other unrelated secrets or platform credentials are requested.
Persistence & Privilege: okalways is false and the skill does not request elevated or permanent presence. The SKILL.md asks to save session_id and to reuse tokens (normal for sessioned APIs) but does not instruct modifying other skills or system-wide configs.