Personal Trainer Video
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to be a legitimate cloud video-editing assistant, but users should know it contacts Nemovideo, uses or creates an access token, and stores a local client ID.
This skill looks coherent for its stated purpose. Before installing, be aware that it is cloud-based: it may contact Nemovideo on first use, create or use a token, store a local client ID, and process your videos and edit instructions through Nemovideo’s backend.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may act through a Nemovideo token to create sessions and process video-editing requests.
The skill uses a provider token for API access. This is expected for the Nemovideo service and no artifact evidence shows token leakage or unrelated credential use.
If `NEMO_TOKEN` env var is set, use it... Acquire anonymous token... Store the returned `token` as `NEMO_TOKEN` for this session.
Use a dedicated Nemovideo token if available and avoid sharing sensitive videos unless you trust the provider.
Nemovideo sessions may be linked over time using the stored local client ID.
The skill creates persistent local state to identify the client across sessions. This is disclosed and narrowly scoped, but it is still a persistent identifier.
Read `~/.config/nemovideo/client_id` if it exists... Otherwise generate a UUID, save it to `~/.config/nemovideo/client_id`
If you want to reset the anonymous identity, remove the Nemovideo client_id file and any related token.
Workout videos, client names, edit descriptions, and related project details may be sent to the Nemovideo cloud service for processing.
The skill relies on an external backend for processing user edit requests. This is central to the product, but users should understand that request content and likely media files are processed by Nemovideo.
User describes an edit → you send it to the backend → backend processes → you report results
Do not upload confidential, medical, or client-identifying media unless you are comfortable with Nemovideo processing it.
Opening or first using the skill may contact Nemovideo before any actual video edit is requested.
The skill instructs the agent to make a network API call automatically on first interaction. This is disclosed and aligned with account/session setup for the video service.
When the user first interacts, set up the connection... curl -s -X POST "https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token"
Install only if you are comfortable with automatic setup calls to Nemovideo when the skill is first used.