Skillv1.0.0

ClawScan security

Video Editing Ai For Instagram · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 6:12 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (cloud video editing) matches most of its instructions, but there are metadata and scope inconsistencies and it will upload your videos and obtain/store an API token with an unknown third-party service — proceed cautiously.
Guidance: This skill will upload your raw videos and audio to mega-api-prod.nemovideo.ai, obtain or use a NEMO_TOKEN, and store a session token for subsequent requests. The ownership and homepage are unknown and metadata contains inconsistencies (declared required env var vs automatic anonymous token issuance; config path listed in SKILL.md but not in registry). Before installing or using it: 1) Avoid uploading sensitive or private footage until you verify the service's privacy/retention policy. 2) Ask the skill author or registry for a homepage, privacy policy, and clarification about whether tokens/session IDs are written to disk and where. 3) If you prefer control, pre-provision your own NEMO_TOKEN (if possible) instead of letting the skill mint an anonymous token. 4) Don't treat 'required' env/config declarations as authoritative here — request the author fix the metadata mismatches. If you cannot verify the operator or privacy terms, treat this as high-risk for sensitive content.

Review Dimensions

Purpose & Capability: noteName and description (Instagram-focused video editing) align with the runtime instructions (upload, edit, render on cloud GPUs). Requesting a service token (NEMO_TOKEN) is reasonable. However, the skill metadata is inconsistent: the registry listing said no config paths while the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) and also lists NEMO_TOKEN as required even though the instructions provide an anonymous-token fallback — this mismatch is unexplained.
Instruction Scope: concernThe instructions will upload user-supplied media to https://mega-api-prod.nemovideo.ai and stream server-sent events; this is expected for a cloud editor but means user videos and audio are sent to a third party. The skill also instructs generating and storing an anonymous NEMO_TOKEN and a session_id for repeated requests. It references detecting an install path to set an X-Skill-Platform header (which implies reading local paths) even though that file/path access is not declared elsewhere. No steps appear to read unrelated system secrets, but the upload of media and token storage are significant privacy actions that users should know about.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is written to disk by a packaged installer. Lower installation risk, but runtime network calls still occur per SKILL.md.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared as required and as the primaryEnv, which is proportionate for a third-party API. However, the SKILL.md will automatically mint an anonymous token if NEMO_TOKEN is not present — this makes the 'required' label misleading. The frontmatter also lists a config path (~/.config/nemovideo/) that the top-level registry did not, creating ambiguity about whether the skill will access local configuration files.
Persistence & Privilege: noteThe skill does not request always:true and uses the default autonomous invocation. It instructs storing session_id and token for subsequent requests; this is normal for a session-based service but means tokens/sessions may persist for days. The SKILL.md does not explicitly state where to persist them (memory vs disk), so clarify storage behavior if you care about long-lived tokens on disk.