Back to skill
Skillv1.0.0
ClawScan security
Video Editor Instagram · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 6:31 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper around a third‑party cloud video-editing API and its requirements and runtime instructions largely match that purpose, but there is a small metadata inconsistency and you should be aware that user video files and tokens are sent to an external service.
- Guidance
- This skill appears to do what it says: it will upload your videos to mega-api-prod.nemovideo.ai and use an API token (NEMO_TOKEN) or an anonymously issued short‑lived token. Before installing or using it, consider: (1) Do you trust nemovideo.ai with your media? Check their privacy/retention policy because uploads go off your device. (2) Prefer using a limited or anonymous token rather than a long‑lived account token; verify how the skill stores or reuses tokens (SKILL.md does not instruct persistent storage but the platform may). (3) Clarify the metadata inconsistency: SKILL.md frontmatter references a local config path (~/.config/nemovideo/) — confirm whether the skill will read local config files. (4) Confirm the domain and endpoints are legitimate and match the service you expect. If any of these points are unclear or you cannot trust the remote service, do not provide a production NEMO_TOKEN or upload sensitive media.
Review Dimensions
- Purpose & Capability
- noteName/description match the runtime instructions: the skill uploads user video files and calls a nemo-video cloud API to edit and return results. Requesting a single API token (NEMO_TOKEN) is proportionate. Minor inconsistency: the SKILL.md frontmatter lists a configPaths (~/.config/nemovideo/) while the registry metadata earlier reported no required config paths — this should be clarified.
- Instruction Scope
- okSKILL.md stays within the expected scope: connect to the backend, create or obtain a token, create a session, upload files, run render jobs, and stream SSE responses. It does require sending user media to the external endpoint, which is consistent with the described purpose but is a privacy consideration. It does not instruct broader system file reads or unrelated credential access.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This is the lowest-risk install profile and consistent with a simple API-integrator skill.
- Credentials
- noteOnly NEMO_TOKEN is required (declared as primaryEnv), which is expected. The SKILL.md describes an anonymous-token fallback flow (generating a UUID and POSTing to the API) which is reasonable. The earlier-mentioned configPaths in the SKILL.md frontmatter is the one disproportionate/unclear item — it implies the skill might read a local nemovideo config directory but the rest of the instructions do not reference it.
- Persistence & Privilege
- okalways:false and no install-time persistence or modifications to other skills are described. The skill does not request elevated platform privileges.