Skillv1.0.0

ClawScan security

Youtube Video Editor Fiverr · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 8:52 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions generally match its stated purpose (remote AI video editing), but a small metadata inconsistency and privacy considerations around uploading videos warrant caution.
Guidance: This skill appears to do what it advertises: connect to nemovideo's backend, accept uploads, and return edited videos. Before installing or enabling it, consider: (1) Only provide a NEMO_TOKEN you intend for this service — don't reuse high-privilege or unrelated service tokens. (2) Confirm privacy: uploaded videos will be sent to https://mega-api-prod.nemovideo.ai; avoid uploading sensitive or private footage unless you've reviewed their privacy/terms. (3) Ask the publisher to clarify the frontmatter reference to ~/.config/nemovideo/ (does the agent read local config files?). (4) Because the skill can obtain an anonymous token from the provider if no token is present, be aware that uploads will still go to the provider even if you don't supply a token. If any of these points are unacceptable, don't install or don't upload sensitive media.

Review Dimensions

Purpose & Capability: noteThe skill requests a single service credential (NEMO_TOKEN) which is appropriate for a cloud video-editing API. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that the registry metadata did not list; it's unclear whether the skill actually needs or will read local config files, which is disproportionate for a purely cloud-based editor.
Instruction Scope: okRuntime instructions are limited to establishing a session, uploading media, streaming edits via SSE, polling render status, and returning download URLs. The instructions do not ask for unrelated system files or additional credentials. They do instruct using an environment token if present or obtaining an anonymous token via the service's API — behavior consistent with the described cloud workflow.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing is written to disk or downloaded at install time — lowest-risk install mechanism.
Credentials: noteOnly NEMO_TOKEN is required, which is proportional to calling the provider's API. Note: the frontmatter references a local config path that wasn't declared in the registry top-level requirements; clarify whether the skill will read ~/.config/nemovideo/ or any other local files before installing or providing a token.
Persistence & Privilege: okThe skill does not request permanent/always-on presence (always: false) and does not modify other skills or system-wide config. Autonomous invocation is allowed but is the platform default and is not by itself a red flag.