Skillv1.0.0

ClawScan security

Video Editing With Ai App · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 2:14 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with a cloud-based AI video editing service; nothing in the package tries to access unrelated secrets or install arbitrary code, but there are a few small inconsistencies and privacy considerations you should review before use.
Guidance: This skill appears to do what it says: connect to a remote nemo video service, accept uploads, and return edited videos. Before installing or using it, consider: (1) Privacy: uploads go to mega-api-prod.nemovideo.ai — do not upload sensitive footage unless you trust their terms. (2) Credentials: NEMO_TOKEN is required; if absent the skill will request an anonymous token from the service (it will generate a client UUID). Decide whether to provide your own token or rely on the anonymous flow. (3) Clarify the config-path mismatch: SKILL.md references ~/.config/nemovideo/ but the registry showed no required config paths — confirm whether the skill will read/write that directory. (4) Attribution headers: the skill requires custom X-Skill-* headers on every request (used by the service); this is not inherently malicious but it does mean the service will see which skill/version/platform made requests. If any of these points worry you, ask the skill author for clarifications or avoid uploading private content.

Review Dimensions

Purpose & Capability: noteThe skill is declared as an instruction-only video-editing integration and requests a single credential, NEMO_TOKEN, which matches the stated backend API. One minor inconsistency: the registry metadata reported no required config paths, but the SKILL.md frontmatter includes a config path (~/.config/nemovideo/). This is plausible (local config storage) but the mismatch should be clarified.
Instruction Scope: noteThe instructions limit actions to establishing a session, uploading videos, streaming SSE edits, polling export status, and returning download URLs. They do instruct the agent to generate an anonymous token via POST to https://mega-api-prod.nemovideo.ai if NEMO_TOKEN is missing, and to 'auto-detect' platform from the install path (which implies reading the agent's install path). No instructions request unrelated files, other credentials, or external exfiltration, but the platform-detection and optional config path access are vaguely specified and worth confirming.
Install Mechanism: okNo install spec or code files are included (instruction-only). No downloads or archives are written to disk by the skill itself, minimizing install-time risk.
Credentials: okOnly one environment variable is required (NEMO_TOKEN), which is proportional to a remote video editing API. The SKILL.md also documents an anonymous-token flow if no token is provided; no additional unrelated secrets or broad system credentials are requested.
Persistence & Privilege: okThe skill is not force-included (always: false) and uses normal autonomous invocation settings. It does not request system-wide configuration changes or privileges beyond using the declared token and optional config directory.