Back to skill
Skillv1.0.0
ClawScan security
Video Editing With Free Music · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 2:13 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with a cloud video-editing service: it needs a NEMO_TOKEN and uploads videos to a remote API; nothing requests unrelated credentials or writes code to disk.
- Guidance
- This skill uploads your video files to a third-party cloud service (mega-api-prod.nemovideo.ai) and uses a NEMO_TOKEN (which the skill will try to obtain anonymously if you don't provide one). Before installing or using it: 1) Confirm you are comfortable having your videos processed by that external service and review its privacy/TOS if available. 2) Note the token the skill obtains is temporary (SKILL.md says 100 free credits, 7-day expiry); check whether tokens are stored persistently by your agent environment. 3) The SKILL.md contains a small metadata mismatch (declared config path vs. registry metadata) — not a security break but worth being aware of. 4) Avoid uploading sensitive content in videos. 5) If you want tighter control, supply your own NEMO_TOKEN (and revoke it later) or test with non-sensitive files first.
Review Dimensions
- Purpose & Capability
- noteThe skill is a cloud video-editing workflow and explicitly requires/uses a NEMO_TOKEN to call mega-api-prod.nemovideo.ai, which is consistent with its description. Minor inconsistency: the YAML frontmatter in SKILL.md lists a config path (~/.config/nemovideo/) while the registry metadata above the file indicated no required config paths. This is likely a metadata mismatch but does not change the core capability.
- Instruction Scope
- noteThe SKILL.md instructs the agent to (a) check for NEMO_TOKEN, (b) if missing, call an anonymous-token endpoint to obtain one, (c) create a session, upload files, and read SSE responses. All of these are within the stated purpose (remote rendering). The instructions also describe deriving attribution headers and 'detecting the install path' to set X-Skill-Platform — that implies the agent may inspect its install path or environment to choose a header value, which is reasonable but broader than strictly necessary for video editing.
- Install Mechanism
- okNo install spec or code is provided (instruction-only). Nothing is downloaded or written to disk by an installer in the skill bundle itself.
- Credentials
- noteOnly NEMO_TOKEN is declared as required (primaryEnv). The SKILL.md outlines a flow to auto-acquire an anonymous NEMO_TOKEN if none is present, so requiring the token up-front is somewhat inconsistent but not harmful. No unrelated secrets or multiple credentials are requested.
- Persistence & Privilege
- okalways:false and default autonomous invocation are set (normal). The skill asks the agent to keep session_id in memory for job operations but does not request permanent system-level privileges or to modify other skills.