Skillv1.0.0

ClawScan security

Editor App · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 17, 2026, 11:48 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based AI video editor, with only small metadata/instruction inconsistencies to note.
Guidance: This skill appears to be a straightforward cloud video editor: it uploads your media to mega-api-prod.nemovideo.ai and returns edited output. Before installing, consider the privacy and trust implications of uploading videos (especially sensitive content) to a third-party service. Note two small inconsistencies: the SKILL.md can obtain an anonymous NEMO_TOKEN itself (so an env var is optional in practice), and the frontmatter mentions a config path (~/.config/nemovideo/) that the registry metadata did not. Confirm you are comfortable with the service domain, test with non-sensitive clips first, and avoid installing if you do not want any of your media or environment-derived metadata shared with that backend. If you need more assurance, ask the skill author to clarify whether the agent will read any local config files and whether tokens are persisted or logged.

Purpose & Capability: okName, description, and required NEMO_TOKEN align with a cloud video-editing backend. The skill calls only the documented nemovideo.ai endpoints needed to create sessions, upload media, run renders, and check credits.
Instruction Scope: noteRuntime instructions stay within video-editing scope (token check, session creation, SSE, upload, render polling). They explicitly instruct the agent to read NEMO_TOKEN from the environment or obtain an anonymous token via the public anonymous-token API. Nothing in the SKILL.md instructs the agent to read unrelated system files, but frontmatter mentions a config path (~/.config/nemovideo/) which is not referenced elsewhere—this is an inconsistency to be aware of.
Install Mechanism: okInstruction-only skill with no install spec or remote downloads; nothing is written to disk by an installer step. Low install risk.
Credentials: noteThe only declared credential is NEMO_TOKEN which is appropriate for a cloud API. However, SKILL.md describes creating an anonymous token if NEMO_TOKEN is missing (so the token is not strictly required), and the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while registry metadata showed none—this mismatch should be clarified.
Persistence & Privilege: okNo always:true flag, no system-wide config edits, and no other elevated privileges requested. The skill creates sessions/tokens for its own use, which is normal for a cloud service integration.