Back to skill
Skillv1.0.0
ClawScan security
Instagram Video Editor For Pc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 4:55 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (cloud video editing) matches what its instructions request (a single NEMO_TOKEN and calls to a NemoVideo API); nothing obvious is asking for unrelated secrets or local privileges, but there are a few small inconsistencies and privacy considerations you should review before use.
- Guidance
- This skill appears to do what it says: send your videos to a NemoVideo cloud service for editing. Before installing, confirm you trust the external domain (mega-api-prod.nemovideo.ai) because your uploaded videos and any associated metadata will be sent there. Consider providing your own NEMO_TOKEN (instead of letting the skill auto-request an anonymous token) if you want control over account/credits. Ask the publisher to clarify the metadata mismatch about ~/.config/nemovideo/ (does the skill read or write that path?) and whether tokens are persisted to disk. Avoid uploading sensitive or private footage until you’re comfortable with the service’s privacy/retention policies.
Review Dimensions
- Purpose & Capability
- noteSkill claims to run cloud GPU video edits and indeed only requires a single service token (NEMO_TOKEN) and network calls to a video backend. This capability reasonably explains the required credential and endpoints. Note: the frontmatter metadata lists a config path (~/.config/nemovideo/) while the registry summary earlier said 'Required config paths: none' — that mismatch should be clarified.
- Instruction Scope
- noteSKILL.md instructs the agent to upload user video files and perform session creation, SSE chat, polling, and export workflows against https://mega-api-prod.nemovideo.ai. These network operations are expected for a cloud editor. It does not instruct reading unrelated system files, but it does require deriving an X-Skill-Platform header from install paths (which implies inspecting the runtime environment). The skill also performs anonymous-token acquisition if NEMO_TOKEN is absent — the agent will call the auth endpoint and use the returned token.
- Install Mechanism
- okInstruction-only skill with no install spec or code to download/execute. Low installation risk because nothing is written to disk by the skill itself (behavior depends on the agent runtime).
- Credentials
- noteOnly one credential is declared (NEMO_TOKEN) which matches the backend API usage. The skill will auto-acquire an anonymous token if NEMO_TOKEN is missing — this is convenient but means the skill will make outbound network requests to obtain credentials. The metadata also references a config path (~/.config/nemovideo/) which is plausible but not explained in the registry summary; clarify whether the skill will read or write that path.
- Persistence & Privilege
- okalways:false and normal autonomous invocation are set (expected). The skill does not request system-wide privileges or modification of other skills. Risk is limited to external network usage and handling of uploaded media (expected for a cloud editor).