Back to skill
Skillv1.0.0
ClawScan security
Maker Editor Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 22, 2026, 4:52 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's purpose (cloud video editing) matches the network calls and single API token it requests, but there are inconsistencies in the metadata and instructions (declared requirements vs. self-provisioning of tokens, and implicit install-path headers) that warrant caution before installing.
- Guidance
- This skill appears to be a straightforward cloud video editor, but there are a few red flags you should consider before installing: (1) Confirm the source and domain (mega-api-prod.nemovideo.ai) — there is no homepage or publisher information listed. (2) Understand that your video files will be uploaded to that external API; do not upload sensitive footage unless you trust the service and its privacy policy. (3) The skill declares NEMO_TOKEN as a required env var but also documents an anonymous-token flow that self-issues tokens; ask the author which is expected in production and whether tokens are stored or sent anywhere else. (4) The skill adds attribution headers that may reveal local install path/platform info — if you care about metadata leakage, request removal or clarification. (5) The registry metadata and SKILL.md disagree about config paths; request corrected manifest or source code to review. If you proceed, prefer using temporary/test accounts and avoid uploading private content until you verify the service and see the skill's source or official homepage.
Review Dimensions
- Purpose & Capability
- noteName/description match the runtime instructions: the skill directs uploads and editing jobs to a cloud video API (mega-api-prod.nemovideo.ai) and requires an API token (NEMO_TOKEN). This is proportionate for a cloud video editor. However, the SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) while registry metadata lists no required config paths — an internal inconsistency in declared requirements.
- Instruction Scope
- noteRuntime instructions remain focused on uploading video, creating sessions, SSE-based edits, polling export status, and downloading results. No instructions request unrelated system files. Concerns: (1) the instructions derive attribution headers from the agent's install path (~/.clawhub/, ~/.cursor/skills/, otherwise unknown), which implies the agent may inspect its environment/paths for header population (privacy/fingerprinting risk). (2) The doc requires NEMO_TOKEN as a declared env var but also documents an anonymous-token flow that auto-generates a token — this discrepancy should be clarified.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk install surface.
- Credentials
- noteOnly one credential (NEMO_TOKEN) is declared as the primary env var, which is proportionate for a hosted video API. But the skill also documents an anonymous-token endpoint that can issue a temporary token (100 credits, 7-day expiry), meaning the skill can operate without a pre-provided secret. The frontmatter's mention of a config path (~/.config/nemovideo/) is not reflected in registry requirements — inconsistent. Also, the skill mandates adding attribution headers (including X-Skill-Platform derived from local paths), which may leak local environment details to the remote API.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated or persistent platform privileges. It does not claim to modify other skills or system-wide settings.