Back to skill
Skillv1.0.0
ClawScan security
Editor Change · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 1:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions match its stated purpose (cloud-based AI video re-editing); it only asks for a single service token and describes the upload/render workflow without requesting unrelated credentials or installs.
- Guidance
- This skill appears coherent: it uploads your video to a NEMO cloud backend for editing and needs a single service token (NEMO_TOKEN). Before installing consider: 1) uploaded videos will leave your machine—don't send sensitive footage unless you trust the service; 2) verify the API domain (mega-api-prod.nemovideo.ai) and the service's privacy/retention policy; 3) the skill can generate an anonymous token that lasts ~7 days (100 free credits) so be aware a temporary token may be created and used; 4) check whether you want the agent to read local install/config paths (used only to set attribution headers). If any of these are unacceptable, do not install or provide a production NEMO token.
Review Dimensions
- Purpose & Capability
- okName/description (clouded video re-editing) align with requested credential (NEMO_TOKEN) and API endpoints for upload, session, and render. Declared config path (~/.config/nemovideo/) and session/state concepts are relevant to a cloud rendering backend.
- Instruction Scope
- noteSKILL.md limits actions to authenticating (use existing NEMO_TOKEN or obtain an anonymous token), creating a session, uploading video files, sending SSE edit commands, and polling for render results. It instructs the agent not to expose raw tokens. One minor scope action: it asks the agent to detect its install path to set X-Skill-Platform and references the skill's YAML frontmatter; that requires reading local context/files but is proportional to adding attribution headers.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files; nothing is downloaded or written to disk by a provided installer. Low install risk.
- Credentials
- okOnly NEMO_TOKEN is required (declared as primary). That single credential directly maps to the described cloud API. The skill documents an anonymous-token fallback flow if no token is present, which is consistent with the service model.
- Persistence & Privilege
- okalways:false and no unusual persistence or cross-skill configuration changes. The skill can be invoked by the agent (normal behavior) but does not request permanent system-level privileges.