Skillv1.0.0

ClawScan security

Video Editor Filters · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 6:22 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video filter/export) matches its runtime instructions, but there are small metadata inconsistencies and it will upload user videos and obtain/store tokens on an external service — review before installing.
Guidance: This skill sends any uploaded videos and edit instructions to an external service (https://mega-api-prod.nemovideo.ai) and uses a NEMO_TOKEN (or obtains an anonymous one) to authenticate. That behaviour is consistent with a cloud video-processing tool but has privacy implications: do not upload sensitive footage you wouldn’t want sent to a third party. Note the SKILL.md references a config directory (~/.config/nemovideo/) that is not listed in the registry metadata — ask the publisher whether the skill will read that directory or other local files. If you proceed, consider: (1) only grant NEMO_TOKEN if you trust Nemovideo's service and privacy policy, (2) revoke tokens/credits from the service if you stop using the skill, and (3) avoid uploading confidential media. The metadata mismatch lowers confidence slightly — request clarification from the skill owner before installing.

Review Dimensions

Purpose & Capability: noteThe skill claims to apply AI filters and export videos and its instructions call the nemo video API endpoints for uploads, rendering, credits, and state; requiring a NEMO_TOKEN is coherent. However, the SKILL.md frontmatter lists a configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch should be clarified (does the skill need access to that config dir?).
Instruction Scope: okInstructions are narrowly focused on authenticating (using NEMO_TOKEN or anonymously obtaining one), creating a session, uploading video files, driving SSE-based edits, polling render status, and returning a download URL. These actions are consistent with the described video-processing purpose. The skill does instruct the agent to read its own frontmatter and detect install paths to populate attribution headers — that requires filesystem access to the skill file and (optionally) probing common install directories, which is expected but should be noted.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written by an installer. That reduces risk compared to skills that fetch/extract remote archives.
Credentials: noteOnly one credential is declared (NEMO_TOKEN) which fits a cloud video-processing backend. The SKILL.md will automatically obtain an anonymous token if none is present (by POSTing to the external API). The frontmatter's mention of a config path (~/.config/nemovideo/) is not reflected in the registry metadata — clarify whether the skill expects to read that directory (which could contain credentials or preferences).
Persistence & Privilege: okalways:false and normal autonomous invocation. The skill stores a session_id and will retain/use an obtained token for requests; tokens are described as short-lived (anonymous token valid 7 days). This is proportional to the task but you should be aware the session/token will be stored and used for subsequent API calls.