Skillv1.0.0

ClawScan security

Video Editing With Openshot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 9:09 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's runtime instructions, required credential, and described cloud workflow are consistent with a cloud-hosted AI video editing service; nothing in the package suggests it is trying to do unrelated or hidden actions.
Guidance: This skill appears internally consistent with a cloud-based video editor: it will upload your videos and session data to an external service (mega-api-prod.nemovideo.ai) and will create or use a NEMO_TOKEN (it can obtain a 7‑day anonymous token if one isn't supplied). Before installing, consider whether you trust that external service with your video content and metadata (sensitive footage will be transmitted off-device). Also note a small metadata mismatch: the skill's frontmatter references ~/.config/nemovideo/ while the registry listing did not declare config paths — ask the publisher whether the skill will read/write that directory or store tokens there. If you need local-only editing or strong privacy guarantees, do not use this skill until you can verify the backend/service privacy and retention policies.

Review Dimensions

Purpose & Capability: okThe skill claims to perform cloud-based video editing and its instructions describe uploading videos, creating sessions, streaming SSE messages, and starting renders on an external API (mega-api-prod.nemovideo.ai). The single required env var (NEMO_TOKEN) and the anonymous-token flow are coherent with a cloud service that accepts either a user-provided token or issues short-lived anonymous tokens.
Instruction Scope: noteThe SKILL.md explicitly instructs uploading user media to the external backend, generating UUIDs, calling auth endpoints, maintaining session_ids, polling render endpoints, and including attribution headers. Those actions stay within the declared editing purpose. The skill also instructs reading its own YAML frontmatter and detecting the install path to set attribution headers — this requires local path checks but is limited in scope. Be aware that user media and session tokens will be transmitted off-device to the service.
Install Mechanism: okThis is an instruction-only skill with no install spec and no bundled code files. That minimizes on-disk installation risk; runtime behavior is limited to network calls and local metadata checks described in SKILL.md.
Credentials: noteOnly NEMO_TOKEN is declared as required, which is appropriate for an API-backed editor. The SKILL.md also references a config path (~/.config/nemovideo/) in its frontmatter (metadata) — the registry summary showed no required config paths. This mismatch should be clarified (the skill may read or write that directory to cache tokens/session info).
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated or persistent platform-wide privileges. It does perform autonomous network operations when invoked (normal for this class of skill).