Skillv1.0.0

ClawScan security

Video Editor Pkg · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 20, 2026, 6:16 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-based video editing integration, with only minor metadata inconsistencies and routine privacy considerations to review before use.
Guidance: This skill appears to be a normal cloud video-editing integration that uploads your media to https://mega-api-prod.nemovideo.ai for processing. Before installing, consider: 1) Do you trust that remote service with the videos you will upload? Sensitive footage will be transmitted and stored by that backend. 2) Clarify how and where the created anonymous NEMO_TOKEN and session_id are stored (the SKILL.md says to store them but doesn't specify secure storage or retention). 3) Ask the provider about data retention, who can access your uploads, and whether exports/derivatives are kept. 4) Note the small metadata mismatch (declared config path in SKILL.md vs registry) — ask the publisher to confirm whether the skill will read ~/.config/nemovideo/ or any other local files. If these questions are answered satisfactorily, the skill's behaviors align with its stated purpose.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (cloud AI video editing) matches the network endpoints, upload, SSE, render and export workflows described in SKILL.md. One inconsistency: the SKILL.md frontmatter lists a required config path (~/.config/nemovideo/) while the registry metadata showed no required config paths; this is likely a metadata mismatch rather than malicious behavior but should be clarified.
Instruction Scope: okInstructions only direct the agent to create/verify an API token, create a session, upload video files or URLs, stream SSE messages, poll job status, and deliver download URLs — all within the stated video editing workflow. The instructions do not ask the agent to read unrelated system files, other environment variables, shell history, or exfiltrate data outside the nemovideo API domain.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer. That is the lowest-risk install mechanism.
Credentials: noteThe only declared credential is NEMO_TOKEN, which is appropriate for calling the backend API. The skill also instructs creating an anonymous token automatically if none is present (100 free credits, 7-day expiry). The SKILL.md suggests storing session_id/token for subsequent requests but does not specify secure storage; users should confirm where tokens/sessions are persisted.
Persistence & Privilege: okThe skill is not marked always:true and does not request system-wide privileges. It does not instruct modifying other skills or global configuration. Autonomous invocation is allowed (platform default) but not combined with other privilege concerns.