Skillv1.0.0

ClawScan security

Ai Video Editor Apk Mod · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 25, 2026, 7:57 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly behaves like a cloud-based AI video editor (uploads videos and calls an external API) but contains small inconsistencies (metadata vs registry) and instructs access to an external service and a local config path, so you should review privacy/credential implications before installing.
Guidance: This skill functions like a cloud video editor and will upload your videos to an external service (mega-api-prod.nemovideo.ai) and use a bearer token (NEMO_TOKEN) to authenticate. Before installing: 1) Decide whether you trust the external domain and service to handle your media and any personal data in videos. 2) Prefer providing a short-lived or anonymous token rather than a long-lived personal credential; note the skill can obtain an anonymous token itself if NEMO_TOKEN is absent. 3) Verify the discrepancy between the registry (no config paths) and the SKILL.md frontmatter (mentions ~/.config/nemovideo/) — if you have a ~/.config/nemovideo/ directory, inspect it for sensitive data and be cautious that the skill may read it. 4) Don’t store sensitive system credentials in NEMO_TOKEN; avoid giving unrelated secrets. 5) If possible, test with non-sensitive sample clips first and review the service’s privacy/terms outside the skill. If you need more certainty, request the publisher/source of the skill or a signed official integration from the service owner.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes a cloud AI video editor and the required NEMO_TOKEN and API endpoints match that purpose. However the skill name ('APK Mod') and frontmatter mention an on-disk config path (~/.config/nemovideo/) while the registry metadata said no config paths are required — this mismatch is unexplained.
Instruction Scope: noteRuntime instructions direct the agent to read NEMO_TOKEN (or obtain an anonymous token via POST), create sessions, upload user video files, and poll render endpoints on mega-api-prod.nemovideo.ai. These network calls and uploads are expected for a cloud editor, but the skill also instructs deriving headers from the skill file and detecting an install path (~/.clawhub/, ~/.cursor/skills/) which requires some filesystem context; the instructions do not request unrelated secrets but they do transmit user media to an external service.
Install Mechanism: okNo install spec and no code files are present (instruction-only). This minimizes on-disk installation risk; nothing is downloaded or written by an installer step described in the skill.
Credentials: noteThe skill requests a single environment credential (NEMO_TOKEN) which is proportionate for a cloud API. It will generate an anonymous token if none exists, which is reasonable. The frontmatter also lists a config path (~/.config/nemovideo/) not declared in the registry requirements — this discrepancy could mean the skill expects to read local config (possible credential or usage data) and should be clarified.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent platform-wide privileges. It does not instruct modifying other skills or system-wide configs.