Back to skill
Skillv1.0.0
ClawScan security
Video Editing With Kdenlive · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 6:51 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent: it uses a Nemo cloud backend for AI-assisted video editing, requires a single NEMO_TOKEN (and can create an anonymous token if not provided), and has no install step or unrelated credential requests.
- Guidance
- This skill sends your uploaded video files to a third-party cloud service (mega-api-prod.nemovideo.ai). It will use NEMO_TOKEN if you provide one, or automatically request a short-lived anonymous token on first use. If you care about privacy or data retention, review the Nemo service's privacy/billing terms before uploading sensitive footage. Note the skill name references 'Kdenlive' but the editing is performed in Nemo's cloud pipeline (not the local Kdenlive app). If you prefer explicit consent before network calls, set NEMO_TOKEN in advance (so you control credentials) or avoid using the skill.
Review Dimensions
- Purpose & Capability
- noteThe declared purpose (AI-assisted video editing producing polished exports) aligns with the runtime instructions (upload, session creation, render/export endpoints). Minor mismatch: the skill name mentions 'Kdenlive' which suggests local Kdenlive editing, but the instructions clearly route work through a remote 'nemovideo' cloud service — a naming/branding difference rather than a functional inconsistency.
- Instruction Scope
- okSKILL.md gives concrete, bounded runtime instructions: check NEMO_TOKEN, optionally obtain an anonymous token, create a session, upload files, request renders, poll for completion, and download results. The instructions reference reading this skill's frontmatter and detecting an install path to populate attribution headers — both are narrowly scoped and explained. Nothing in the instructions asks the agent to read unrelated system files or other credentials.
- Install Mechanism
- okThere is no install spec or code to download; the skill is instruction-only, so nothing is written to disk by an installer. This is the lowest install risk.
- Credentials
- okOnly a single environment credential is declared (NEMO_TOKEN), which is proportional to a cloud API-based editing service. The skill documents fallback behavior (anonymous-token generation) when the token isn't present. No unrelated secrets or multiple external credentials are requested.
- Persistence & Privilege
- okThe skill is not force-included (always: false). It instructs storing a session_id and token for the session scope, which is normal for interacting with a remote API. It does not request system-wide privileges or modify other skills' settings.