Back to skill
Skillv1.0.0
ClawScan security
Video Editing Ai List · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 2:52 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are consistent with a cloud-based AI video editing service — it needs a service token and uploads user video to the provider — there are only minor metadata inconsistencies to confirm with the author.
- Guidance
- This skill appears to do what it says: it uploads your video files to the nemovideo.ai service for cloud rendering and requires a NEMO_TOKEN API token (or it can obtain a short-lived anonymous token). Before installing: (1) Confirm you are comfortable with your videos being sent to https://mega-api-prod.nemovideo.ai (privacy/legal concern). (2) Prefer providing a scoped/token you control rather than sharing long-lived credentials; rotate tokens if possible. (3) Ask the skill author why a config path (~/.config/nemovideo/) is declared in metadata even though the SKILL.md doesn't show reading it. (4) Because this skill will transmit potentially sensitive media, avoid uploading private data unless you trust the provider and have reviewed its retention/usage policy.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the declared requirements: a single provider token (NEMO_TOKEN) and cloud API endpoints for uploading and rendering video. One small mismatch: the metadata lists a config path (~/.config/nemovideo/) that the runtime instructions do not explicitly read; this is plausible (used to detect existing local config) but is not justified in the SKILL.md.
- Instruction Scope
- okSKILL.md directs the agent to authenticate (use NEMO_TOKEN or obtain an anonymous token), create a session, upload user-supplied video files, drive edits via SSE or API calls, poll for render status, and return download URLs. These actions are appropriate for a cloud video-editing tool. Important privacy note: the instructions explicitly upload user media to https://mega-api-prod.nemovideo.ai, so user videos will be transmitted to and processed by that third-party service.
- Install Mechanism
- okNo install spec or code is included; this is instruction-only, which minimizes install-time risk. Nothing in the skill attempts to download or install external binaries.
- Credentials
- noteThe skill asks for exactly one credential (NEMO_TOKEN) which is appropriate for a cloud API. The metadata also lists a config path (~/.config/nemovideo/) which may allow detecting existing local tokens/config — reasonable but not explained in SKILL.md. There are no unrelated credentials requested.
- Persistence & Privilege
- okThe skill does not request always:true, has no install-time persistence, and does not declare elevated privileges or access to other skills' configs. It will operate as an on-demand integration that can be invoked by the agent (normal behavior).