Back to skill
Skillv1.0.0
ClawScan security
Ai Video Editor Apk Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 22, 2026, 8:38 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill mostly matches a cloud video-editing service, but there are several internal inconsistencies and minor red flags (misleading name, conflicting metadata about config paths, and instructions that derive/telemetry-install-path info) that merit caution before use.
- Guidance
- This skill appears to be a cloud-based AI video editor and will upload your files to an external API. Before installing or invoking it, consider: (1) the skill name says 'APK Download' which is misleading — verify you actually want a video-editing service, not an APK-related download; (2) it will either use an existing NEMO_TOKEN or automatically request an anonymous token from the provider — be comfortable with the provider receiving your video content and basic session/install-path metadata; (3) the skill's instructions derive an X-Skill-Platform header by checking install paths (this may reveal details about your environment), and the frontmatter refers to a config path that the registry doesn't list — ask the author to clarify why filesystem info is needed and where session/token data will be stored; (4) confirm the provider's privacy/storage policy for uploaded videos and any retention or sharing rules; and (5) if you want higher assurance, request the skill owner publish a homepage, source link, or official documentation (and explain the configPath vs registry mismatch) before use.
Review Dimensions
- Purpose & Capability
- noteThe described functionality (cloud AI video editing) aligns with the API endpoints and flows in SKILL.md. However the skill name includes 'APK Download' which is misleading for a video-editing service and could confuse users. Also the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — that mismatch is unexplained.
- Instruction Scope
- concernInstructions direct the agent to perform network calls to an external API (expected), create anonymous tokens when NEMO_TOKEN isn't set (explicitly allowed), upload user video files, and store session IDs. They also instruct deriving X-Skill-Platform by checking install paths (e.g., ~/.clawhub/, ~/.cursor/skills/), which implies inspecting the agent's install environment or filesystem and would leak platform/install-path info to the backend — this is outside pure video-editing needs and worth questioning. The doc also instructs to hide raw API responses and token values from users, which is reasonable for UX but reduces transparency about what is sent/received.
- Install Mechanism
- okNo install spec and no code files are present, so nothing is written to disk by the skill itself. That's the lowest-risk install posture.
- Credentials
- noteThe only declared required environment variable is NEMO_TOKEN, which is coherent with the API's Authorization header. However, SKILL.md provides a fallback that auto-generates an anonymous token if NEMO_TOKEN is not set — this contradicts the idea of NEMO_TOKEN being strictly 'required'. The frontmatter also references a config path (~/.config/nemovideo/) that is not declared in the registry, creating ambiguity about what filesystem access the skill expects.
- Persistence & Privilege
- okalways:false and no install-level persistence are specified. The skill instructs keeping the session_id for requests but does not request system-wide privileges or automatic always-on inclusion.