Skillv1.0.0

ClawScan security

Ai Video Jobs Remote · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 11:41 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and instructions are consistent with a cloud video-editing service: it needs a single service token and uploads user video to a remote API, which matches its described purpose — there are no obvious attempts to access unrelated credentials or system areas, but provenance is unknown so exercise caution.
Guidance: This skill is coherent with a cloud-based video editor: it will upload any videos you drop into the chat to the nemovideo backend and use a NEMO_TOKEN (or an anonymous token it fetches) to run jobs. Before installing or using it: verify you trust the domain (mega-api-prod.nemovideo.ai) and its privacy policy, avoid uploading sensitive or confidential footage, prefer using a short-lived or anonymous token rather than your primary account token, and be prepared to rotate/revoke any token you supply. If you need more confidence, ask the publisher for a homepage or documentation and confirm how long tokens/outputs are stored and who can access them.

Review Dimensions

Purpose & Capability: okName/description and runtime instructions align: the skill calls a nemovideo backend, requires a NEMO_TOKEN, creates sessions, uploads media, and starts renders. The declared env var (NEMO_TOKEN) and the listed config path (~/.config/nemovideo/) are coherent with a service-backed video editor.
Instruction Scope: noteInstructions tell the agent to read NEMO_TOKEN (if present) or obtain an anonymous token, create sessions, upload user media, and poll SSE/render endpoints — all expected for remote editing. Important privacy/security note: user media and any metadata will be transmitted to the external nemovideo API; the skill also instructs hiding technical details from chat. This is expected for the service but relevant for sensitive content.
Install Mechanism: okNo install step or third-party downloads are present (instruction-only). That reduces disk-write/installation risk.
Credentials: noteOnly one credential (NEMO_TOKEN) is required — proportional for a cloud API. Minor mismatch: metadata lists a config path (~/.config/nemovideo/) but SKILL.md does not explicitly instruct reading that path; not critical but worth noting. Providing an account token grants the skill full API access tied to that token.
Persistence & Privilege: okSkill is not forced-always-on (always:false) and does not request system-wide privileges. It can be invoked autonomously by the agent (normal default), which combined with network access gives it the ability to call the external service when used.