Back to skill
Skillv1.0.0
ClawScan security
Video Editing With Ai Tools · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 26, 2026, 1:45 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (cloud video editing) matches the APIs and single credential it asks for, but there are inconsistencies and a few scope/provenance details that warrant caution before installing.
- Guidance
- This skill appears to do what it promises (cloud video editing) and only requests one credential (NEMO_TOKEN), but there are some things to confirm before installing: 1) Clarify where the anonymous token and session_id are stored and for how long (the SKILL.md will generate and keep a token if you don't supply one). 2) Ask whether the agent will actually read your home/install paths to set X-Skill-Platform (this is not necessary for editing and involves filesystem access). 3) Decide whether to provide your own NEMO_TOKEN instead of allowing the skill to create one. 4) Remember uploading videos sends your footage to an external service (mega-api-prod.nemovideo.ai): review the vendor's privacy/retention policy before uploading sensitive content. 5) The registry metadata and SKILL.md disagree about config paths — request the publisher clarify and correct the manifest. If these questions are answered satisfactorily, the skill is likely acceptable; if the publisher cannot explain storage/persistence or insists on undocumented filesystem access, avoid installing.
Review Dimensions
- Purpose & Capability
- noteThe name/description (AI cloud video editing) align with the runtime instructions which call a nemo video API and require a NEMO_TOKEN. However, the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — an inconsistency in declared requirements.
- Instruction Scope
- concernInstructions include creating or using a bearer token (NEMO_TOKEN), creating a session, uploading media, and polling for exports — all expected. They also direct the agent to detect its install path (to set X-Skill-Platform) which implies reading filesystem state unrelated to video content. The skill further instructs to hide raw API responses/token values from the user, which is reasonable for secrets but reduces transparency about what was obtained and stored.
- Install Mechanism
- okThis is instruction-only with no install spec or downloaded code, so nothing will be written to disk by an installer. That reduces install-time risk.
- Credentials
- noteThe single required environment credential (NEMO_TOKEN) is proportional to the described cloud editing service. The SKILL.md allows generating an anonymous token by POSTing to the vendor API if NEMO_TOKEN is not present — which is expected but means the skill will obtain and hold a credential on the agent's behalf. The mismatch between declared configPaths (in SKILL.md) and registry metadata is unexplained.
- Persistence & Privilege
- notealways:false (normal). The skill will obtain and store an anonymous token and session_id for subsequent calls; where and how long those credentials are persisted is not specified. The requirement to detect install path for X-Skill-Platform suggests the agent may read user filesystem locations.