Skillv1.0.0

ClawScan security

Video Editor Link · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 7:11 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are generally consistent with a cloud video-editing integration, but there are mismatches and privacy-relevant behaviors (reading install paths/frontmatter, uploading user video to an external service) that you should verify before installing or providing credentials.
Guidance: This skill appears to be a legitimate cloud video-editing integration, but review these points before installing or providing secrets: - Privacy: using this skill uploads your video files to an external service (mega-api-prod.nemovideo.ai). Don’t upload sensitive footage unless you trust the service and its privacy policy. Consider using the anonymous starter token route instead of providing a persistent NEMO_TOKEN if you have privacy concerns. - Credentials: NEMO_TOKEN is the only declared secret. Confirm what permissions that token grants on the provider side before supplying it. - Metadata mismatch: the SKILL.md frontmatter references a config path (~/.config/nemovideo/) and asks the agent to detect install paths; the registry metadata above lists no config paths. Ask the publisher to clarify whether the skill needs access to local config directories or install-path detection and why. - Filesystem access: the skill asks to read its own YAML frontmatter and detect install path to populate attribution headers. If you run agents in a restricted environment, ensure these reads are acceptable. - Trust & provenance: the source/homepage is unknown. If you rely on this skill, ask the owner for a homepage, privacy policy, and documentation for the API endpoints and token scope. If you’re uncomfortable with any of the above, do not provide a persistent NEMO_TOKEN and prefer anonymous token flow, or avoid installing the skill until the publisher provides clearer provenance and a privacy statement.

Review Dimensions

Purpose & Capability: noteThe skill name/description (AI cloud video editor that returns shareable links) aligns with the runtime instructions to create sessions, upload video files, stream SSE edits, and request renders from https://mega-api-prod.nemovideo.ai. Required credential (NEMO_TOKEN) is appropriate for an API-backed service. However, SKILL.md metadata lists a configPaths entry (~/.config/nemovideo/) while the registry metadata above this evaluation lists no required config paths — this inconsistency should be resolved.
Instruction Scope: concernThe runtime instructions direct the agent to: read the environment for NEMO_TOKEN (declared), POST to an anonymous-token endpoint if missing, create sessions, upload user files, stream and poll render endpoints, and include attribution headers read from the skill's YAML frontmatter and by detecting the agent install path (e.g., ~/.clawhub/ or ~/.cursor/skills/). Reading the install path and the file's frontmatter at runtime is out-of-band relative to simple editing behavior and may require filesystem access not obvious from the registry metadata. Uploading user videos to an external service is expected for this skill but is a privacy-sensitive operation that should be disclosed to users.
Install Mechanism: okNo install spec or code files are present; this is instruction-only, which minimizes disk-write risk. Nothing is being downloaded or installed by the skill itself.
Credentials: noteOnly one credential is declared (NEMO_TOKEN) and the SKILL.md uses that token for Bearer authorization — proportionate for an API integration. The skill also documents obtaining an anonymous starter token if NEMO_TOKEN is absent (calls an external auth endpoint). The only minor mismatch: the SKILL.md frontmatter lists a configPaths requirement (~/.config/nemovideo/) while the registry metadata shows no required config paths.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide privileges. It does instruct including attribution headers and detecting an install path, but it does not request to modify other skills or system configuration.