Skillv1.0.0

ClawScan security

Ai Video Editor Kya Hai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 16, 2026, 5:42 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud AI video editing) matches most of its instructions, but there are internal inconsistencies about required config/credentials and some runtime behaviors that you should review before sending private footage to the remote API.
Guidance: This skill appears to do what it says (upload your footage to a cloud backend and return edited videos), but review these points before installing or using it: - Privacy: Using the skill will upload your raw video to https://mega-api-prod.nemovideo.ai. Do not send sensitive or private footage unless you trust that domain and have checked its privacy/retention policies. - Token behavior: The registry declares NEMO_TOKEN as required, but the SKILL.md includes a flow to request an anonymous token if none is present. Decide whether you want to pre-provision your own NEMO_TOKEN (so you control the credential) or allow the skill to obtain an anonymous token automatically. - Local reads: The skill may inspect local install/config paths (e.g., ~/.config/nemovideo/, ~/.clawhub/, ~/.cursor/skills/) to build attribution headers. If you are uncomfortable with local path inspection, avoid installing the skill or run it in a confined environment. - Inconsistencies: The metadata you were shown and the SKILL.md frontmatter disagree about required config paths — ask the publisher to clarify whether the skill requires access to local config files and whether the token must be pre-configured. If you want to proceed: (1) verify the service domain and its policies; (2) consider creating and supplying your own NEMO_TOKEN so you control that credential; (3) avoid uploading sensitive media until you confirm how data is handled. If you need stronger assurance, request the publisher to provide an installable package or privacy statement and clarify the metadata mismatch.

Review Dimensions

Purpose & Capability: noteName/description align with cloud video editing and the single declared credential (NEMO_TOKEN) is appropriate for a cloud API. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata provided to you earlier said no required config paths — that's an inconsistency. Also the skill's runtime will auto-generate an anonymous NEMO_TOKEN if none exists, which conflicts with the registry-level "required env var" declaration that suggests the token must already be supplied.
Instruction Scope: concernInstructions explicitly instruct the agent to POST video files and session messages to mega-api-prod.nemovideo.ai, create sessions, poll render status, and upload user files. These actions are coherent with the skill's purpose, but the skill also instructs the agent to derive attribution headers from local install paths and to check (and possibly use) ~/.config/nemovideo/. That means the agent may read local paths/environment to assemble headers. The token auto-provision flow (POST to an anonymous-token endpoint) is also in the instructions — the skill will obtain and use a bearer token if none is present. These behaviors are significant because they cause user data (video) and runtime tokens to be transmitted to an external service; not inappropriate for the purpose but important to be aware of.
Install Mechanism: okNo install spec and no code files (instruction-only). This minimizes on-disk risk because nothing new is installed or executed locally by the skill itself.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared as primary, which is proportionate for a cloud API. However, the SKILL.md indicates it can generate an anonymous token at runtime if none is present, and the frontmatter references a local config path. The registry summary you were given omitted the config path — this mismatch should be clarified. The skill does not request other unrelated credentials, which is good.
Persistence & Privilege: okalways is false and there is no install-time persistence or modification of other skills. The skill requests session-state retention for its own operations (keeping a session_id) which is normal for a cloud workflow. Autonomous invocation is allowed (platform default) — combine this with the fact the skill will upload files to an external host when used.