Skillv1.0.0

ClawScan security

Ai Video Editor From Prompt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 5:31 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are internally consistent with a cloud video-generation service: it needs a NEMO_TOKEN (or will obtain an anonymous one), calls nemovideo.ai endpoints, and stores session state — nothing in the instructions appears unrelated to its stated purpose, but the source is unknown and the skill will transmit user uploads and local metadata to an external API, so review privacy/trust before using.
Guidance: This skill appears to do what it says (calls nemovideo.ai to generate videos). Before installing: (1) verify you trust the external domain (mega-api-prod.nemovideo.ai); uploaded media and prompt text will be sent to that service; do not upload sensitive material unless you trust their policies; (2) be aware the skill will obtain/store an anonymous bearer token automatically if you don't set NEMO_TOKEN — consider providing your own token only if you trust the service; (3) the skill may read install/config paths to derive headers (minor metadata leakage); (4) if you install it, monitor where the token/session are stored (e.g., ~/.config/nemovideo/) and delete them when no longer needed. If you need higher assurance, ask the skill author for a source repository, privacy policy, or verification of the nemo service before proceeding.

Review Dimensions

Purpose & Capability: okThe skill claims to generate videos via a cloud backend and requires a NEMO_TOKEN; that is proportionate. The declared config path (~/.config/nemovideo/) and primaryEnv NEMO_TOKEN align with storing a token/session for the external nemo service.
Instruction Scope: noteSKILL.md instructs the agent to call nemovideo.ai endpoints, obtain anonymous tokens if NEMO_TOKEN is not set, create sessions, upload files, and stream SSE responses. These actions are expected for a remote render pipeline. Two points to note: (1) the skill will automatically request an anonymous token and use it if the user hasn't supplied NEMO_TOKEN (this creates an outbound network call and issues a bearer token valid for 7 days); (2) the skill derives an X-Skill-Platform header from install paths (which may require reading environment/paths and could leak platform/install info). The instructions explicitly say not to display raw token values to users.
Install Mechanism: okNo install spec or code is included — this is instruction-only and does not write new binaries to disk. That minimizes install-time risk; however runtime network calls to an external service are required.
Credentials: noteOnly one credential is declared (NEMO_TOKEN), which matches the service being called. The skill will create and use an anonymous token if none is provided, and recommends storing session_id and token (implied in the declared config path). This is proportionate, but users should be aware that uploads and prompt text will be sent to nemo's servers and that the skill may persist a token/session locally.
Persistence & Privilege: okThe skill does not request always:true, no special platform privileges are declared, and it does not propose modifying other skills. It does imply persisting an ephemeral anonymous token and session_id (normal for a cloud service).