ClawHub
Back to skill
v1.0.2

Vertical Video Editor

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:36 AM.

Analysis

This looks like a purpose-aligned cloud video-editing skill, but users should know it creates/uses NemoVideo sessions and sends videos and prompts to NemoVideo for processing.

GuidanceThis skill appears coherent for cloud-based vertical video editing. Before installing, make sure you are comfortable with NemoVideo receiving your video files, prompts, platform attribution headers, and session information, and avoid using sensitive footage unless the provider's data practices are acceptable to you.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
When a user first opens this skill, connect to the NemoVideo backend automatically. Briefly let them know...

The skill initiates backend API activity automatically on first use. This is disclosed and fits a cloud video editor, but users should be aware that invoking the skill contacts the provider.

User impactOpening or using the skill may create a NemoVideo session and contact the backend before a finished edit is produced.
RecommendationUse the skill only if you are comfortable with NemoVideo being contacted during setup; a safer implementation would ask for explicit confirmation before the first connection.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Check if `NEMO_TOKEN` is set... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... All requests must include: `Authorization: Bearer <NEMO_TOKEN>`

The skill uses a bearer token or obtains an anonymous token for NemoVideo requests. This is expected for the service, but it gives the skill authority to consume NemoVideo sessions or credits.

User impactThe skill can use the configured NemoVideo token or an anonymous token to create sessions and make processing requests.
RecommendationUse a dedicated NemoVideo token if possible, avoid exposing token values in chat or logs, and revoke or rotate the token if you stop using the skill.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`... Send message (SSE): POST `/run_sse`

The workflow sends uploaded video files and user editing instructions to NemoVideo's backend/agent session. This is central to the advertised cloud editing function, but it is a sensitive data flow.

User impactAny uploaded clips and related prompts may be processed by NemoVideo's remote service, which could matter for private, unreleased, or client-owned footage.
RecommendationDo not upload confidential or regulated media unless NemoVideo's privacy and data-handling terms are acceptable for that content.