Skillv1.0.0

ClawScan security

Video Editing With Gopro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 10:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a remote GoPro editing service but contains several inconsistencies and behaviors that warrant caution (automatic token generation, filesystem/install-path probing, and a 4K claim that conflicts with stated API limits).
Guidance: This skill appears to be a wrapper around a remote video-processing API (nemovideo). Before installing: (1) Confirm you trust the external domain (https://mega-api-prod.nemovideo.ai) and its privacy/terms — your raw video will be uploaded to that service. (2) Ask the author or vendor to resolve contradictions: the skill advertises 4K output but the pipeline text says up to 1080x1920. (3) Clarify where and how tokens/session IDs are stored (in memory vs written to ~/.config/nemovideo/) and whether anonymous tokens created automatically will be persisted. (4) If you have sensitive footage, do not use the skill until you confirm retention, access controls, and deletion policies for uploaded videos. (5) If you want stronger assurance, request the skill author to remove install-path probing for X-Skill-Platform (or document exactly what is read) and to make token-creation explicit (ask for user consent) rather than automatic.

Review Dimensions

Purpose & Capability: noteThe skill's name and description match a remote video-editing service that would reasonably require an API token. However there are clear mismatches: the frontmatter/description promises "4K" outputs, while the Cloud Render Pipeline text limits outputs to H.264 up to 1080x1920. Registry metadata (earlier summary) lists no config paths, but the SKILL.md frontmatter references a config path (~/.config/nemovideo/). These inconsistencies reduce confidence that the declared capabilities and constraints are accurate.
Instruction Scope: concernThe runtime instructions will (1) automatically request an anonymous token from an external endpoint if NEMO_TOKEN is absent, (2) create and store a session_id for subsequent API calls, and (3) require the agent to determine install path to set X-Skill-Platform header (which implies probing filesystem locations like ~/.clawhub/ or ~/.cursor/skills/). Auto-generating and storing API tokens and probing install paths go beyond simple editing and raise privacy and scope questions. The instructions also tell the agent to upload user video files (expected) and to avoid showing raw tokens to users (good practice).
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest disk/installation risk.
Credentials: noteOnly one environment variable (NEMO_TOKEN) is declared as required, which is proportionate for an API-backed service. But SKILL.md both references an on-disk config path (~/.config/nemovideo/) and instructs creating an anonymous token at runtime when NEMO_TOKEN is absent; it's unclear whether tokens/session IDs are persisted to disk or only kept in memory. The token generation behavior means the skill can obtain credentials without explicit user-provided keys, which is plausible but should be communicated to users.
Persistence & Privilege: okThe skill does not request always:true or other elevated platform privileges, and there is no install-time code writing to system locations. The only persistence implied is storing a session_id / token for session management; storage location and lifetime are unspecified.