Skillv1.0.0

ClawScan security

Shortform Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 4:50 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud short-video editing service: it asks for a single service token (NEMO_TOKEN), describes API endpoints for uploads/renders, and has no install steps — but the source is unknown and the SKILL.md references a local config path, so exercise normal caution before sending sensitive data or secrets.
Guidance: This skill appears internally coherent for a cloud short-video editor, but you should be cautious before enabling it. Things to consider: (1) It uploads your video files to an external domain (mega-api-prod.nemovideo.ai) — don't send videos you consider sensitive. (2) It uses a single service token (NEMO_TOKEN); if you provide one, ensure it's scoped/replaceable (use revocable or short-lived tokens where possible). (3) SKILL.md mentions a local config path (~/.config/nemovideo/) and checks install paths to set a header — review that directory for secrets before enabling if you want to avoid accidental credential access. (4) The skill has no listed homepage or known publisher — verify the provider and TLS certificate of the API endpoints if you require stronger assurance. If you need higher assurance, ask the publisher for documentation, a homepage, or a signed package and prefer using anonymous/ephemeral tokens for testing.

Review Dimensions

Purpose & Capability: okName/description (short-form video editing) align with the required credential (NEMO_TOKEN) and the runtime actions (session creation, upload, render, export). All declared endpoints and operations are appropriate for a cloud video processing service.
Instruction Scope: noteSKILL.md instructs the agent to perform network calls to nemovideo.ai endpoints (auth, session, upload, SSE, export) and to stream SSEs to the user — which is expected. It also includes logic to detect an install path to set an attribution header and references a local config path (~/.config/nemovideo/) for credentials/state; those filesystem reads are plausible for caching tokens but expand the skill's scope beyond purely network I/O. The instructions also instruct generating an anonymous token if no NEMO_TOKEN is present (makes additional outbound calls).
Install Mechanism: okNo install spec and no code files — instruction-only. This minimizes disk-write risk; the skill performs live HTTP interactions only. No downloaded binaries or archives are requested.
Credentials: noteOnly one declared credential (NEMO_TOKEN) is required, which is proportionate to a remote API. However, SKILL.md metadata includes a config path (~/.config/nemovideo/) not listed elsewhere in the registry metadata — a discrepancy worth noting because that path may contain cached tokens or user data the agent may read.
Persistence & Privilege: okThe skill is not forced-always; autonomous invocation is allowed (platform default). It does not request system-wide changes or persistent installation. No elevated privileges requested.