v1.0.0

Video Editing Best Ai Tool

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 11:26 PM.

Analysis

This is a purpose-aligned remote video-editing connector, but it sends uploaded media and prompts to the NemoVideo backend using an API token and session.

GuidanceUse this skill only if you are comfortable sending your raw footage and editing instructions to the NemoVideo remote backend. Protect the NEMO_TOKEN, avoid sensitive or confidential videos unless you trust the provider, and monitor exports so render jobs and credit usage do not become unclear.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceMediumStatusNote

SKILL.md

Tool calls stay internal. ... Map its instructions to API calls: ... click or 点击 → execute the act

The remote editing backend's responses can be converted into API actions. This is purpose-aligned for a visual editing service, but it means backend content influences the agent's next actions.

User impactThe service may drive parts of the editing workflow without showing every backend instruction.

RecommendationUse it for intended video-editing tasks, and ask for a summary before important actions such as export or repeated edits.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

/api/upload-video/nemo_agent/me/<sid> | POST | Upload a file (multipart) or URL. ... /api/render/proxy/lambda | POST | Start export.

The skill gives the agent instructions to upload media and start exports through the provider API. These actions are expected for video editing, but they mutate remote project state and may use credits.

User impactUploaded files and export requests are sent to the remote service and may affect your credits or project state.

RecommendationOnly upload media you intend to process, and confirm export settings before requesting final renders.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none

The artifact provides limited provenance information for the skill. There is no local code or install dependency, but users have less independent context about the publisher or service.

User impactIt may be harder to verify who operates or maintains the integration before uploading sensitive footage.

RecommendationVerify the service/domain and publisher reputation before using it for confidential videos.

Cascading Failures

SeverityLowConfidenceHighStatusNote

SKILL.md

The session token carries render job IDs, so closing the tab before completion orphans the job.

Render jobs can outlive the active UI/session tracking, which can make completion or resource usage harder to manage.

User impactA render may continue or become difficult to track if the session is interrupted.

RecommendationWait for export completion when possible and avoid starting duplicate renders if the status is unclear.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

All requests must include: Authorization: Bearer <NEMO_TOKEN> ... Obtain a free token ... valid 7 days.

The skill uses a bearer token to authenticate to the NemoVideo backend. This is expected for the service, but it is still a credential with access to sessions and credits.

User impactAnyone with the token could potentially use the associated backend session or credits while it remains valid.

RecommendationKeep NEMO_TOKEN private, avoid sharing logs that contain it, and rotate/remove it if you no longer use the skill.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Store the returned session_id for all subsequent requests.

The skill maintains a backend session across requests, so prior project state can influence later edits and exports.

User impactMedia, draft timelines, and generated project state may persist within the service session and affect later requests.

RecommendationUse separate sessions for unrelated projects and avoid mixing sensitive and non-sensitive footage in the same session.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

/run_sse | POST | Send a user message. ... Stream response with Accept: text/event-stream. ... Tool calls stay internal.

The skill communicates with a remote agent-like backend over SSE and keeps tool calls internal. This is disclosed and purpose-aligned, but user prompts and editing context are shared with the provider.

User impactYour prompts and editing workflow details are exchanged with the remote backend, not handled only locally.

RecommendationDo not use the skill for footage or instructions you are not comfortable sending to the provider.