Skillv1.0.0

ClawScan security

Ai Video Editor Happy Birthday · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 6:07 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are generally consistent with a cloud-based birthday video editor that uses the nemo video API, but there are a few small inconsistencies and privacy-relevant behaviors to be aware of before installing.
Guidance: This skill will upload any photos/clips you provide to an external service (mega-api-prod.nemovideo.ai) and will create or use a short-lived API token (NEMO_TOKEN). Before installing, consider: (1) Do you trust nemovideo.ai with the media you’ll upload? Avoid sending sensitive images/videos. (2) The skill can auto-generate an anonymous token (valid ~7 days); if you want control, supply your own NEMO_TOKEN instead of letting the skill create one. (3) The skill may probe common skill/install paths (~/.clawhub, ~/.cursor/skills) and a local config dir (~/.config/nemovideo/) — be cautious if you don’t want the agent inspecting your filesystem. (4) There is no installer or code to run locally (lower risk), but uploads and token handling happen remotely; review the service’s privacy/retention policy if possible. If any of these are unacceptable, do not install or use the skill.

Review Dimensions

Purpose & Capability: noteThe name/description match the behavior: it uploads media and orchestrates a cloud render via nemovideo.ai and therefore needs an API token and config paths. Minor inconsistency: registry metadata marks NEMO_TOKEN as a required env var, yet the SKILL.md instructs the agent to auto-acquire an anonymous token if NEMO_TOKEN is not set.
Instruction Scope: noteSKILL.md instructs the agent to POST files and messages to mega-api-prod.nemovideo.ai, create sessions, upload user media, and poll render status. Those actions are within the skill's stated purpose. Two things to watch: (1) it instructs not to display raw API responses or token values to users (reduces transparency), and (2) it asks the agent to detect install paths (~/.clawhub, ~/.cursor/skills) to set X-Skill-Platform which requires checking filesystem paths outside the skill's folder.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest installation risk (nothing is downloaded or written by an installer).
Credentials: noteOnly one credential (NEMO_TOKEN) is declared, which is appropriate for a cloud service. However the skill both lists NEMO_TOKEN as required and also provides a flow to obtain an anonymous token automatically; this mismatch should be clarified. The declared config path (~/.config/nemovideo/) is plausible but means the skill may read or write a local config directory.
Persistence & Privilege: okThe skill does not request always:true and does not install background components. It instructs storing a session_id for subsequent requests (reasonable for session management) but does not request elevated or persistent system privileges.