Skillv1.0.0

ClawScan security

Professional Ai Video Editor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 30, 2026, 3:08 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud AI video editing) matches its runtime instructions and required credential (NEMO_TOKEN); no install or unrelated privileges are requested, but there are minor metadata/instruction inconsistencies you should be aware of before use.
Guidance: This skill appears coherent: it talks to a third-party video-editing API and needs only a NEMO_TOKEN (or will fetch an anonymous starter token). Before installing, verify the backend domain (mega-api-prod.nemovideo.ai) is the service you expect and read that service's privacy/data-retention policy — you will be uploading raw video (potentially sensitive). Ask the skill author (or vendor) to clarify the configPath discrepancy in the frontmatter and registry metadata, and confirm what data the service stores and for how long. If you have a choice, test with the anonymous starter token and non-sensitive footage first; never provide unrelated credentials (AWS, GitHub, etc.).

Review Dimensions

Purpose & Capability: noteThe name/description (AI video editing) aligns with the instructions (upload, SSE-based editing, render/export endpoints). The single required env var (NEMO_TOKEN) makes sense for a third-party API. Note: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported 'Required config paths: none' — this mismatch should be clarified.
Instruction Scope: noteRuntime instructions are narrowly focused on interacting with the nemo backend (auth, session creation, SSE messaging, upload, export, polling). They do instruct the agent to read this file's YAML frontmatter for skill attribution and to detect the install path to set an X-Skill-Platform header — these require access to the skill metadata/paths and are not strictly necessary for core editing functionality. The agent is told to obtain an anonymous token if no NEMO_TOKEN is present, which is coherent but means the agent will make a network call to obtain credentials automatically.
Install Mechanism: okThere is no install spec and no code files — instruction-only skill. Nothing will be downloaded or written to disk by an installer as part of this skill package.
Credentials: noteOnly one credential is required (NEMO_TOKEN), which is appropriate for a single third-party API. The instruction to auto-acquire a short-lived anonymous token if NEMO_TOKEN is absent is reasonable. However, the frontmatter's mention of a config path (~/.config/nemovideo/) contrasts with the registry's 'none' entry; confirm whether local config files are actually read and what they contain. Do not supply unrelated high-privilege tokens.
Persistence & Privilege: okalways is false and autonomous invocation is allowed (the platform default). The skill does not request persistent system-wide privileges or attempt to modify other skills. It uses ephemeral session tokens for operations, which is normal for a cloud API client.