Skillv1.0.0

ClawScan security

Editor Capcut · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 5:55 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based video-editing integration that uses a single service token; nothing in the instructions suggests it's doing unrelated or covert actions, but there are a couple of small metadata inconsistencies and privacy considerations to be aware of.
Guidance: This skill appears to do what it claims: upload your video to a nemo-video cloud backend, run edits, and return a downloadable rendered file. Before installing/using: (1) confirm you are comfortable having your raw video uploaded to https://mega-api-prod.nemovideo.ai and review that service's privacy/retention policy; (2) the skill will either use a provided NEMO_TOKEN or request an anonymous token automatically — avoid supplying long-lived or privileged tokens unless you trust the service; (3) ask the author to clarify the configPath discrepancy (SKILL.md mentions ~/.config/nemovideo/ while registry metadata lists none) if you want to be strict about what local paths the skill may touch; (4) note the skill reads its own frontmatter and detects install paths to set attribution headers — this can reveal which agent runtime you use but is not required for editing itself. If any of these points are unacceptable, decline to install or provide only an appropriately-scoped/ephemeral token.

Review Dimensions

Purpose & Capability: okName/description (AI video editing, short-form clips) matches the declared primary credential (NEMO_TOKEN) and the SKILL.md which describes a cloud render API. Requiring a service token and uploading user media to an editing backend is appropriate for the stated purpose.
Instruction Scope: noteInstructions focus on creating a session, uploading video, streaming SSE edits, and exporting results — all within the editing workflow. Two items worth noting: (1) the SKILL.md instructs the agent to automatically request an anonymous token if NEMO_TOKEN is absent (the skill will call an external auth endpoint and use the returned token), and (2) it reads local installation paths and the skill's YAML frontmatter at runtime to populate attribution headers. Both are explainable by the skill's purpose but broaden the agent's file-system and network actions slightly.
Install Mechanism: okInstruction-only skill with no install spec or code files; nothing is downloaded or written to disk by an installer step. This minimizes install-time risk.
Credentials: noteThe single required environment variable (NEMO_TOKEN) is proportional to a cloud API integration. However, the SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata listed no required config paths — this metadata mismatch should be clarified. Also, the skill will attempt to acquire an anonymous token from the network if NEMO_TOKEN is not present, meaning it can operate without an existing user-provided token.
Persistence & Privilege: okSkill is not always-enabled; it does not request system-level persistence or modify other skills. Allowing autonomous invocation is the platform default and is not a concern here by itself.