Skillv1.0.0

ClawScan security

Video Clip Maker Ai Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 2:18 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video editing) matches most instructions, but there are small inconsistencies (a hidden config-path requirement in the skill frontmatter vs registry metadata) and the runtime instructions will upload user videos and create/consume tokens on an external API — behavior you should only allow if you trust the external service and understand privacy implications.
Guidance: This skill will upload any video files you provide to an external service (mega-api-prod.nemovideo.ai) and uses a NEMO_TOKEN (it will create an anonymous one if none exists). Before installing/using it: 1) Confirm you trust nemovideo.ai (privacy, retention, and terms) because your video content is sent off-device. 2) Check whether you already have a NEMO_TOKEN in your environment — the skill will use it if present. 3) Ask the publisher about the mismatched config-path declaration (~/.config/nemovideo/) in the SKILL.md frontmatter vs the registry metadata. 4) If you handle sensitive content, do not upload until you verify storage/retention policies. If you want help drafting questions to the publisher or vetting the domain/terms, I can help.
Findings: [no-code-files-found] expected: The scanner found no code files (instruction-only skill). This is expected, but means static regex findings are not available — review the SKILL.md carefully for behavior (network calls, token handling).

Review Dimensions

Purpose & Capability: noteThe name/description (cloud video clip creation) aligns with the APIs and flows described (upload, SSE, render/export). However SKILL.md frontmatter advertises a required config path (~/.config/nemovideo/) while registry metadata lists no required config paths — this mismatch is unexplained and worth asking the publisher about. The required env (NEMO_TOKEN) is coherent for a cloud API.
Instruction Scope: noteInstructions stay within the editing/exporting domain: create session, upload video, run SSE, poll render status, return download URL. They explicitly instruct the agent to look for NEMO_TOKEN in env and, if missing, to request an anonymous token from the external endpoint. The skill will send user-supplied files to mega-api-prod.nemovideo.ai — expected for the purpose, but a clear privacy/exfiltration action the user should be aware of.
Install Mechanism: okNo install spec and no code files — lowest disk risk. All runtime behavior is instruction-only and performs network calls; nothing is written by an installer.
Credentials: concernThe only declared credential is NEMO_TOKEN (primaryEnv), which makes sense. But SKILL.md metadata mentions a config path (~/.config/nemovideo/), which the registry listing did not show — inconsistent declarations. The skill will also read environment variables and may use any existing NEMO_TOKEN it finds; if one exists in your environment it will be used to authorize uploads and renders (i.e., the skill can use/expose that token to the external service).
Persistence & Privilege: okalways is false and there is no install-time persistence. The skill does request an ephemeral anonymous token if none exists, but it doesn't ask to be force-enabled or to alter other skills' config.