Back to skill
Skillv1.0.0
ClawScan security
Free Free Youtube Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 11, 2026, 8:47 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with its claimed purpose (remote video editing/export), but it contacts an external cloud service and auto-creates a bearer token if none is present — review privacy and token-handling before use.
- Guidance
- This skill will send any video you give it (or the video URLs) to an external service (mega-api-prod.nemovideo.ai) for processing and will use a bearer token (NEMO_TOKEN) for auth — it can also request an anonymous token on your behalf. Before installing: (1) confirm you trust that external domain and its privacy/terms (uploads may contain private or copyrighted content), (2) decide whether you want to provide a persistent NEMO_TOKEN or allow anonymous token creation (tokens expire after 7 days), and (3) verify how/where the token will be stored if you plan to reuse it (SKILL.md is ambiguous about persisting tokens). If you need provenance, ask the publisher for a homepage or source repository before granting the skill network access.
- Findings
[no_code_files] expected: Scanner found no code files — this is an instruction-only skill that relies on remote API calls, so lack of executable files is expected. Network behavior is described in SKILL.md rather than implemented in packaged code.
Review Dimensions
- Purpose & Capability
- okThe skill claims to edit/export YouTube videos via a cloud backend and its instructions describe API endpoints, upload, SSE streaming, and render requests that match that purpose. The only small mismatch is that the metadata declares a config path (~/.config/nemovideo/) while the runtime instructions do not explicitly require reading that file; instead the skill checks NEMO_TOKEN in the environment and can obtain one via the anonymous auth endpoint.
- Instruction Scope
- noteSKILL.md instructs the agent to upload user-provided video files or URLs and to perform authenticated API calls (session creation, SSE, render/polling). These actions are expected for a remote video editor. The instructions do not ask the agent to read arbitrary system files or unrelated credentials, but they do direct sending potentially large user data (videos) to an external domain (mega-api-prod.nemovideo.ai).
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files — lowest install risk. All network behavior is described in prose (no downloaded archives or third-party install sources).
- Credentials
- noteOnly a single credential (NEMO_TOKEN) is declared as required and is used for API calls — proportional to the service. Minor inconsistency: the skill will auto-request an anonymous token from the service if NEMO_TOKEN is absent, yet metadata lists NEMO_TOKEN as required and includes a config path; the SKILL.md does not clearly state whether the retrieved token is persisted to disk or only used in-session.
- Persistence & Privilege
- okThe skill does not request always:true and does not include install-time privileged actions. It will create and use session tokens on the remote service, which is normal for this functionality.