Skillv1.0.0

ClawScan security

Ai Editor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 4:57 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud video-editing service: it only needs a NEMO_TOKEN and talks exclusively to nemovideo.ai endpoints, but the publisher is unknown so verify the third-party service before use.
Guidance: This skill appears to do what it says: it uploads user video and uses a NemoVideo backend to edit and return outputs. Before installing, confirm you trust the third-party domain (mega-api-prod.nemovideo.ai) and its privacy/terms because any uploaded footage (including potentially sensitive video/audio) will be sent to that service. If you prefer more control, provide your own NEMO_TOKEN (instead of letting the skill auto-create an anonymous one) or avoid using the skill for confidential material. Also check for a legitimate vendor homepage or documentation and consider testing with non-sensitive sample videos first.

Review Dimensions

Purpose & Capability: okThe name/description (AI video editing) match the declared requirement (NEMO_TOKEN) and the SKILL.md describes endpoints and flows for a NemoVideo backend. Declared config path (~/.config/nemovideo/) and auth token are consistent with a service-backed editor. Lack of a homepage or known publisher reduces transparency but does not by itself conflict with purpose.
Instruction Scope: noteInstructions keep all network calls scoped to mega-api-prod.nemovideo.ai and the described endpoints (session, upload, SSE, render). The skill instructs the agent to automatically obtain an anonymous token if NEMO_TOKEN is not provided and to store a session_id for subsequent calls. It explicitly tells the agent not to display raw API responses or token values. There are no instructions to read unrelated system files or to transmit data to other domains, but the automatic backend connection on first open is a behavior users should expect and accept.
Install Mechanism: okNo install spec and no code files — instruction-only skill — so nothing is downloaded or written by an installer. This lowers the install-time risk surface.
Credentials: okOnly a single credential (NEMO_TOKEN) is required and is appropriate for a hosted editing service. Metadata lists a service-specific config path (~/.config/nemovideo/), which is reasonable. There are no unrelated credentials requested.
Persistence & Privilege: okalways is false and the skill does not request system-wide persistence or elevated privileges. It asks to store a session_id for ongoing interactions (normal for session-based APIs) but does not instruct modifying other skills or global agent configs.