Skillv1.0.0

ClawScan security

Video Maker Fast · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 1:29 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: Instructions, required credential, and network calls align with a cloud-based video-editing skill, but the package lacks a source/homepage and there's a small metadata inconsistency you should notice before trusting it with private videos or account credentials.
Guidance: This skill appears to legitimately implement a cloud video-editing workflow: it will upload any clips you provide to mega-api-prod.nemovideo.ai and use a NEMO_TOKEN (or obtain a short-lived anonymous token) to run renders. Before installing/use: (1) Note there is no homepage or known source/owner — consider this when trusting it with private/personal videos. (2) Understand your media will be sent to an external service; read their privacy/terms if possible. (3) Confirm whether you want the agent to auto-generate and store an anonymous token for you; anonymous tokens carry 100 free credits and a 7-day expiry. (4) Ask the publisher to clarify the small metadata mismatch (SKILL.md mentions a config path ~/.config/nemovideo/ while registry metadata lists none). If you need stronger assurance, request a published source/repository or official homepage and privacy policy before uploading sensitive content.

Review Dimensions

Purpose & Capability: okThe skill's name and description (cloud-based fast video editing) match its runtime instructions: it calls a nemovideo.ai API, uploads media, creates sessions, and requests a NEMO_TOKEN. No unrelated services or extra credentials are requested.
Instruction Scope: noteSKILL.md explicitly instructs the agent to upload user video files and send SSE/API requests to https://mega-api-prod.nemovideo.ai for session creation, uploads, and rendering. That is expected for a cloud render pipeline, but it means user media and metadata will be transmitted to that external service. The instructions also tell the agent to auto-request an anonymous token if NEMO_TOKEN is missing, which requires making an auth POST call. The document references detecting install/paths and mapping UI actions to API calls — all within the skill's editing purpose. No instructions appear to read unrelated system files, but the guidance to derive headers from local install paths implies the agent may inspect filesystem paths (minor scope creep).
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That minimizes install-time risk.
Credentials: noteOnly one credential is declared (NEMO_TOKEN) and it is used directly for API calls; this is proportionate. However, SKILL.md frontmatter lists a configPath (~/.config/nemovideo/) not reflected in the registry metadata (which claimed none). That mismatch is minor but worth clarifying — it could indicate the skill expects to read or store config under that path.
Persistence & Privilege: okThe skill is not always-enabled and uses normal autonomous invocation defaults. It does not request system-wide changes or other skills' credentials. Nothing in SKILL.md requests elevated or persistent platform privileges beyond normal operation.