ClawHub
Back to skill
v1.0.0

Login Video Editor

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 12:37 PM.

Analysis

This skill appears to be a legitimate cloud video editor, but it uploads footage to an external Nemo Video backend and uses token-based remote sessions.

GuidanceBefore installing, confirm you are comfortable sending the video footage to Nemo Video's cloud service, protect the NEMO_TOKEN, and avoid uploading login recordings that show real passwords, customer data, or other confidential information.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityMediumConfidenceHighStatusNote
SKILL.md
| "click [button]" / "点击" | Execute via API | ... | "Export button" / "导出" | Execute export workflow |

Backend text is explicitly translated into API actions, which makes remote backend responses partially authoritative for what the agent does next.

User impactA backend response may cause the agent to perform editor actions such as querying state or exporting, rather than only showing text to the user.
RecommendationKeep backend-driven actions limited to the current video-editing request, and confirm high-impact actions such as exports or credit-consuming renders.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
Upload — `POST /api/upload-video/nemo_agent/me/<sid>` ... Export — `POST /api/render/proxy/lambda` with render ID and draft JSON.

The skill instructs the agent to use remote API operations that upload media, modify a cloud draft, and start render jobs.

User impactYour files may be uploaded to the cloud backend and exports may consume service credits.
RecommendationUse the skill only with footage you intend to process in the cloud, and ask for confirmation before starting exports if credit use matters.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
metadata
Source: unknown; Homepage: none

The registry entry does not provide source or homepage provenance, even though the skill relies on an external cloud service.

User impactIt may be harder to independently verify who operates the skill or review service documentation before uploading media.
RecommendationVerify the Nemo Video provider and terms separately before using the skill for confidential or regulated footage.
Cascading Failures
SeverityLowConfidenceHighStatusNote
SKILL.md
The session token carries render job IDs, so closing the tab before completion orphans the job.

Interrupted sessions can leave remote render jobs detached from the user workflow.

User impactAn interrupted or duplicate export could leave a job running or make it harder to track completion.
RecommendationAvoid starting duplicate renders, wait for export completion when possible, and check job status before retrying.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Every API call needs `Authorization: Bearer <NEMO_TOKEN>`

The skill uses a bearer token as its primary credential for all Nemo Video API calls.

User impactAnyone who obtains the token could potentially use the associated Nemo Video access or credits.
RecommendationStore NEMO_TOKEN securely, avoid exposing logs or raw API output, and rotate the token if it is leaked.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
SKILL.md
Keep the returned `session_id` for all operations. ... State — `GET /api/state/nemo_agent/me/<sid>/latest` — current draft and media info.

The workflow maintains remote session state and retrieves current draft/media context that can influence later actions.

User impactEdits may depend on remote session state, so stale or unintended project state could affect later video operations.
RecommendationStart a new session for unrelated projects and avoid including secrets or credentials in login-flow footage.
Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
All calls go to `https://mega-api-prod.nemovideo.ai`. ... Chat (SSE) — `POST /run_sse` with `session_id` and your message

The agent exchanges messages and session data with an external provider endpoint, including an SSE chat-style backend.

User impactPrompts, media references, draft state, and uploaded footage may be processed outside the local environment.
RecommendationOnly upload content approved for third-party cloud processing and review provider privacy expectations before use.