Skillv1.0.0

ClawScan security

Ai Video Editor Job Vacancy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 6:36 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with an AI cloud video-editing service: it needs a NEMO_TOKEN, talks to nemovideo.ai endpoints, and contains no unexpected credential requests or install steps.
Guidance: This skill will upload any media you provide to mega-api-prod.nemovideo.ai and use a NEMO_TOKEN to process and return edited videos. It can also automatically request a short-lived anonymous token if you don't supply one. Before installing or using it, consider: (1) whether you are comfortable having your footage sent to that remote service (privacy, confidentiality, license), (2) providing your own NEMO_TOKEN if you prefer registered credentials or tighter control, and (3) reviewing the service's terms/privacy on nemovideo.ai. The metadata lists a local config path (~/.config/nemovideo/) but the instructions don't use it — that's likely benign metadata but worth noting. If you need stronger guarantees, ask the publisher for an integrity/hosting statement or a public homepage for the service.

Review Dimensions

Purpose & Capability: okName/description claim cloud video editing and the SKILL.md instructs contacting nemovideo.ai endpoints, uploading media, creating render jobs and returning download URLs. The declared primaryEnv (NEMO_TOKEN) and API endpoints match the stated purpose. Minor note: metadata lists a config path (~/.config/nemovideo/) but the runtime instructions do not reference reading or writing that path.
Instruction Scope: okInstructions describe standard flows for anonymous auth, session creation, file upload, SSE streaming, render requests, polling and credit/errors handling. The agent is directed to generate an anonymous token if NEMO_TOKEN is absent and to store session_id — both are expected for this service. The SKILL.md does not instruct reading unrelated system files or accessing unrelated credentials. It does instruct hiding raw API responses/tokens from the user, which is reasonable operational guidance (not an exfiltration directive).
Install Mechanism: okNo install spec and no code files (instruction-only). This is the lowest-risk category: nothing will be downloaded or written by an installer step.
Credentials: okOnly a single credential (NEMO_TOKEN) is declared as required and is directly used to authorize requests to the listed backend. The skill also supports creating an anonymous token when NEMO_TOKEN is not provided; that behavior is documented in the SKILL.md. No unrelated creds, keys, or system secrets are requested.
Persistence & Privilege: okalways is false and the skill does not request system-wide privileges or modify other skills. It instructs storing session_id/token for its own use, which is normal for a session-based remote service client.