Skillv1.0.0

ClawScan security

Hd Video Maker Free Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 20, 2026, 4:16 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud AI video editing) aligns with the environment variables, API endpoints, and instructions; it appears internally coherent, but it will contact an external service, create anonymous tokens automatically, and may store session/config data — review privacy before use.
Guidance: This skill talks to an external Nemovideo API and will upload whatever video files you give it to that service. It will also automatically obtain an anonymous NEMO_TOKEN if none is provided and keep session state (and may store data under ~/.config/nemovideo/). Before installing or using: (1) Confirm you trust mega-api-prod.nemovideo.ai and its privacy policy; (2) Do not upload sensitive files or credentials; (3) If you prefer control, provide your own NEMO_TOKEN from a trusted account rather than allowing the skill to auto-create one; (4) Ask the skill author where tokens/session data are saved and whether they are encrypted; (5) Note there is no installable code to audit beyond the instructions — network behavior happens at runtime.

Review Dimensions

Purpose & Capability: okName and description are HD video editing; the skill requires a NEMO_TOKEN and references a nemovideo config path and nemovideo.ai API endpoints — these are appropriate for a cloud video-editing integration.
Instruction Scope: noteSKILL.md is instruction-only and describes expected API workflows (auth, session creation, SSE, upload, render). It instructs the agent to auto-generate an anonymous token if NEMO_TOKEN is absent, upload user files (multipart or URL), persist session_id for operations, and read the skill's YAML frontmatter and local install path to set attribution headers. These actions are generally within scope for a cloud editor but imply automatic external network activity, potential writing/reading of session/config data, and sending platform/install-path info to the service.
Install Mechanism: okNo install spec and no code files — instruction-only. This minimizes disk footprint and there is nothing being downloaded or executed by an installer.
Credentials: noteOnly NEMO_TOKEN (primary credential) is required, which is proportionate to contacting the Nemovideo API. However, the skill will create an anonymous token via the external auth endpoint if none is present (and appears to expect storing/using it for 7 days). It also requests access to a config path (~/.config/nemovideo/) and will send attribution headers derived from local paths — these are plausible but you should confirm where tokens/sessions are stored and whether that storage location is acceptable.
Persistence & Privilege: okalways is false and model invocation is allowed (platform default). The skill needs to maintain session state for renders, which is normal. There's no request for global agent configuration changes or elevated privileges.