Skillv1.0.0

ClawScan security

Video Maker Free For Youtube · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 8:52 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are internally consistent with a cloud-based video-editing service: it asks only for a service token and describes uploading clips and interacting with the stated backend API.
Guidance: This skill appears to do what it claims: it uploads your video clips to a cloud backend (mega-api-prod.nemovideo.ai) and returns edited MP4s. Before installing or using it, consider: (1) privacy — your video files and any audio/text in them are sent to an external service, so avoid uploading sensitive content; (2) token scope — NEMO_TOKEN grants the skill access to your account/session on the service, so only provide a token you trust and understand (the skill can also request an anonymous temporary token if none is present); (3) verify you trust the domain and its privacy/retention policy; and (4) the skill will read its own frontmatter and detect certain local install paths for attribution (this reveals little system info but is not necessary for core editing). If you need stronger guarantees, ask the developer for a privacy/data-retention statement or test with non-sensitive media first.

Review Dimensions

Purpose & Capability: okName/description describe a cloud video-editing service; required primary credential (NEMO_TOKEN), API endpoints (nemovideo.ai), upload and render workflows, and config path (~/.config/nemovideo/) all align with that purpose.
Instruction Scope: noteSKILL.md instructs the agent to upload user-provided media to the external nemovideo.ai backend, create sessions, poll SSE, and include attribution headers. These actions are expected for the stated purpose, but note this will send user media (and metadata) off-device to the service — a privacy consideration. The doc also instructs detecting install path (~/.clawhub/ or ~/.cursor/skills/) to set X-Skill-Platform which reads local paths outside the skill file; this is minor scope creep but understandable for attribution.
Install Mechanism: okInstruction-only skill with no install spec or external downloads; nothing is written to disk by an installer. Low install risk.
Credentials: okOnly a single API token (NEMO_TOKEN) is required and used for authorization with the described backend. The doc also offers an anonymous-token creation flow if the env var is absent — this is consistent with enabling use without pre-provisioned credentials.
Persistence & Privilege: okSkill is not force-enabled (always:false) and does not request elevated platform privileges. It uses session tokens for its own operations and does not attempt to modify other skills' configs. Minor concern: it inspects install paths to set an attribution header, which reveals how the agent was installed but does not escalate privileges.