Skillv1.0.0

ClawScan security

Video Editing With Lyrics App · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 6:51 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based video-lyrics editing service: it needs one service token, uploads media to a named API, and does not ask for unrelated credentials or install additional software.
Guidance: This skill appears coherent for a cloud-based lyrics-video editing service, but it will upload your media to the external domain mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (or will request an anonymous token). Before using: (1) confirm you trust nemovideo.ai and review its privacy/terms because uploads may be stored or processed in the cloud; (2) do not provide highly sensitive videos unless you accept cloud processing; (3) verify how long rendered files and tokens are retained and whether anonymous tokens are limited; (4) the skill enforces custom headers and a config path — expect it to store session data locally under ~/.config/nemovideo/ if the environment allows; (5) if you prefer not to share media with an external service, do not install or invoke this skill.

Review Dimensions

Purpose & Capability: okThe name/description (lyrics-synced video editing) matches the declared requirement (NEMO_TOKEN) and the instructions (uploading media, creating a session, starting renders). The required config path (~/.config/nemovideo/) and primaryEnv (NEMO_TOKEN) are coherent with a cloud rendering client.
Instruction Scope: noteSKILL.md contains detailed, scoped runtime steps (generate anonymous token if needed, create session, upload files, call render endpoints, parse SSE). These steps stay within the stated purpose and do not request unrelated system data. Minor ambiguity: it asks to auto-detect X-Skill-Platform from an 'install path' (the agent environment may not expose this), and it enforces attribution headers that must match the skill frontmatter — unusual but not harmful.
Install Mechanism: okNo install spec and no code files — instruction-only skill. Nothing is written to disk by the skill itself during install, which is the lowest-risk pattern for installers.
Credentials: okOnly a single service credential (NEMO_TOKEN) is required and is used for Authorization to the listed API. The declared config path is plausible for storing session/config data. There are no extra unrelated secrets or many environment variables requested.
Persistence & Privilege: okThe skill is not always-included and uses the platform default for autonomous invocation. It does not request elevated or cross-skill configuration changes in the instructions.