Skillv1.0.0

ClawScan security

Screen Video Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 11:29 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud-based video editing service: it only needs a service token, makes API calls to the declared nemo API, and contains no unrelated credentials or installers.
Guidance: This skill appears to do what it says: it uploads your screen recordings to nemovideo.ai for cloud editing and returns edited videos. Before installing or invoking it, consider: (1) You will be sending video files to a third-party domain (mega-api-prod.nemovideo.ai) — check their privacy/terms for how uploaded media and transcripts are stored and used. (2) If NEMO_TOKEN is not set, the skill will automatically request an anonymous token and store a session id for subsequent API calls; if you prefer explicit consent, set your own NEMO_TOKEN ahead of time or avoid opening the skill until you are ready. (3) The skill may inspect common install paths to set an attribution header — if you don’t want the agent to read its install path, avoid invoking the skill or restrict its filesystem access. Overall this skill is internally consistent, but treat uploads of private or sensitive video content cautiously and confirm the service’s data retention/policy before use.

Review Dimensions

Purpose & Capability: okThe name/description match the declared requirements: a single NEMO_TOKEN credential and a nemovideo.ai API are required for cloud video processing. The declared config path (~/.config/nemovideo/) and primaryEnv (NEMO_TOKEN) are consistent with a cloud rendering backend.
Instruction Scope: noteSKILL.md instructs the agent to obtain or use NEMO_TOKEN, create sessions, upload user-provided video files, send SSE messages, poll render status, and download results — all expected for this service. It does instruct deriving an X-Skill-Platform header by inspecting common install paths (e.g., ~/.clawhub/, ~/.cursor/skills/) which requires checking the agent's filesystem; this is minor scope creep but explainable for attribution headers. The skill does not request unrelated file reads or other system credentials.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That is low-risk and appropriate here.
Credentials: okOnly one environment variable (NEMO_TOKEN) is required and it is the primary credential used for all API calls. The skill also documents how to obtain an anonymous token if one is not present; no other secrets or unrelated credentials are requested.
Persistence & Privilege: noteThe skill is not force-included (always:false). It will autonomously call the remote API when first opened (automatic anonymous token acquisition if NEMO_TOKEN absent) which is expected for a cloud editor but means the agent will perform network activity on open. It does not request system-wide config modifications or other skills' credentials.