Skillv1.0.0

ClawScan security

Tiktok Video Editor Online Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 8:31 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with a cloud-based TikTok-style video editor: it expects a NEMO_TOKEN (or will obtain an anonymous one), uploads user video files to the nemovideo.ai backend, and uses session/render endpoints to return a download URL — nothing in the instructions appears to be unrelated to that purpose, though there are a few minor scope/privacy notes to consider.
Guidance: This skill appears to do what it says: it uploads user video files to a nemovideo.ai backend and returns edited exports. Before installing/use: 1) Accept that videos you send will be uploaded to an external service (privacy risk—do not upload sensitive or confidential footage). 2) Verify the backend domain (mega-api-prod.nemovideo.ai) and the service's privacy/TOS if possible. 3) Be aware the skill can auto-create an anonymous NEMO_TOKEN (100 free credits, 7-day expiry); confirm where that token or session info is stored (metadata references ~/.config/nemovideo/). 4) If you operate in a restricted environment, restrict the agent's filesystem/network access because the skill may probe common install paths (~/.clawhub, ~/.cursor/skills) to set headers. 5) If you need stronger assurance, request the skill author/source or test with throwaway content and a throwaway token before using real media.

Review Dimensions

Purpose & Capability: okName/description (TikTok video editor) match the declared requirement for a NEMO_TOKEN and interaction with a nemovideo.ai cloud backend. Asking for a token and a configPath for nemovideo (~/.config/nemovideo/) is proportionate to a cloud service integration that uploads and processes video.
Instruction Scope: noteSKILL.md directs the agent to accept user video uploads and POST them to mega-api-prod.nemovideo.ai, manage sessions and render jobs, and poll for a download URL — all expected for this service. It will auto-generate an anonymous token via the service if NEMO_TOKEN is absent. Note: headers include X-Skill-Platform derived by probing install paths (~/.clawhub/ and ~/.cursor/skills/) which would require checking filesystem paths beyond the declared configPath; that is a small scope creep and worth auditing if you are concerned about filesystem reads.
Install Mechanism: okInstruction-only skill with no install spec or code to download — lowest-risk delivery model. It does not write arbitrary archives or install binaries.
Credentials: okOnly NEMO_TOKEN is declared as required (primaryEnv). The SKILL.md behavior (check for NEMO_TOKEN, otherwise obtain an anonymous token from the service) aligns with that declaration. No unrelated credentials or broad environment access are requested.
Persistence & Privilege: noteSkill is not always-enabled and allows normal autonomous invocation. It keeps a session_id for job management (expected). Minor concern: the metadata references a config path (~/.config/nemovideo/) and the instructions imply token/session lifecycle (tokens expire in 7 days). The skill may read certain filesystem paths to set attribution headers; that filesystem probing is outside the explicitly declared configPaths and should be considered before granting broad filesystem access.