Skillv1.0.0

ClawScan security

Free Video Editing App · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 12:10 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video editing) mostly matches its runtime instructions (uploading files to a nemovideo.ai API), but there are metadata/instruction mismatches and some missing provenance that warrant caution before installing or using it.
Guidance: This skill appears to be a front-end for a remote video-editing API (nemovideo.ai) and will upload your video files to that service and obtain or use a token (NEMO_TOKEN). Before installing or using it: 1) Verify the service/domain and the skill publisher (there's no homepage and source is unknown). 2) Confirm privacy, retention, and sharing policies for uploaded videos — don't upload sensitive content until you're comfortable. 3) Decide whether you want to provide your own NEMO_TOKEN (for control) or let the skill auto-generate an anonymous token; note the SKILL.md both declares the env var as required and provides an anonymous-token flow (inconsistent). 4) Ask the publisher to clarify the configPath vs registry metadata mismatch (~/.config/nemovideo/ listed in frontmatter but not in registry). 5) If you need stronger assurance, request a published homepage, docs, or an official package/source repository before enabling the skill.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform remote AI video editing and all runtime instructions target a nemo-video API (upload, SSE, render). Requesting a NEMO_TOKEN and session handling is coherent with that purpose. However, the registry metadata (no config paths) disagrees with the SKILL.md frontmatter (which lists ~/.config/nemovideo/), and SKILL.md says NEMO_TOKEN is required in metadata but also gives a full anonymous-token flow to obtain one automatically — these inconsistencies are unexplained.
Instruction Scope: noteInstructions are explicit about calling external APIs, uploading user video files, streaming SSE responses, polling for render status, and storing a session_id. Those actions are within scope for a cloud edit service. The skill will upload user content to an external domain (mega-api-prod.nemovideo.ai) and instructs the agent to suppress showing raw tokens/responses. That is expected for a service but has privacy implications the user should understand.
Install Mechanism: okInstruction-only skill with no install spec or code files — lowest install risk. No binaries or downloads are requested.
Credentials: noteOnly a single credential (NEMO_TOKEN) is declared, which fits the described API usage. But SKILL.md both treats NEMO_TOKEN as optional (auto-create anonymous token) and declares it required in metadata. The frontmatter also mentions a config path (~/.config/nemovideo/) that the registry summary did not list — inconsistent declarations regarding environment and config access.
Persistence & Privilege: okThe skill is not force-enabled (always:false) and does not request elevated platform privileges. It asks to store a session_id for request continuity, which is normal for a remote API client. Nothing indicates it modifies other skills or system-wide settings.