Skillv1.0.0

ClawScan security

Video Editor Free Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 5:34 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested token and API calls are coherent with a remote video-editing service, but there are minor metadata inconsistencies and a few unclear instructions you should understand before installing.
Guidance: This skill appears to do what it claims (remote AI video editing) and only needs a NEMO_TOKEN, but check these points before installing or using it: - Treat NEMO_TOKEN like a credential: whoever holds it can submit jobs and consume credits. Prefer supplying a token you control rather than relying on the skill's anonymous token flow if you want control over usage. - The SKILL.md mentions a config directory (~/.config/nemovideo/). Confirm whether the skill will write session or token files there and whether you’re comfortable with that storage (privacy, cleanup). - The skill derives attribution headers from an install path and asks you to detect platform paths. That could reveal local paths or environment details; ask the publisher what exactly is included in headers and why. If you prefer, remove that header logic or provide a static X-Skill-Platform value. - Uploaded video/audio/media files are sent to mega-api-prod.nemovideo.ai — review that service's privacy/retention policy before uploading sensitive content. - Because this is instruction-only (no install), runtime actions depend on the agent's implementation. Verify where session state and tokens are kept, and whether the agent will persist them across runs. If these points are acceptable (and you trust the nemo-video endpoint), the skill is coherent for its stated purpose. If any of the above is unclear, ask the skill author for clarifications about token persistence, header contents, and local file writes before enabling it.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: the skill uploads video files to a remote nemo-video API, creates sessions, and requests renders. Requiring a NEMO_TOKEN (Bearer auth) is appropriate for this purpose.
Instruction Scope: noteInstructions focus on using the remote API (session creation, upload, SSE, render). They also instruct generating an anonymous token if NEMO_TOKEN is not present, saving session_id, and deriving attribution headers from environment/paths. The header/platform detection (looking at install paths) and lack of explicit guidance where to persist session state are noisy and could result in reading local paths or saving state unexpectedly.
Install Mechanism: okNo install spec or code files — the skill is instruction-only, so nothing is being downloaded or written by an installer. This minimizes install-time risk.
Credentials: noteThe skill declares NEMO_TOKEN as the primary credential, which is proportional. However, the SKILL.md metadata also references a config path (~/.config/nemovideo/) while the registry listed none — this mismatch is ambiguous and suggests the skill may expect to read or write a local config directory for tokens/sessions.
Persistence & Privilege: okalways is false and autonomous invocation is the platform default. The skill suggests saving session_id and may write conf files (per metadata), but it does not request elevated or cross-skill privileges. Clarify where session data is stored before trusting persistent tokens on disk.