Skillv1.0.0

ClawScan security

Ai Video Editor Cinematic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 4:23 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely behaves like an AI cloud video editor and asks only for a single service token, but there are small metadata/instruction mismatches and it will automatically obtain and store tokens/sessions and upload user videos to a third-party API — the pieces are mostly coherent but the inconsistencies merit caution.
Guidance: What to consider before installing: - Privacy and content: this skill uploads your raw videos to https://mega-api-prod.nemovideo.ai for cloud processing. If your footage contains sensitive content, do not use this skill unless you trust that service and its privacy policy. - Token handling: the skill expects a NEMO_TOKEN but will generate an anonymous token automatically if none is set; the skill will persist session/token data (SKILL.md references ~/.config/nemovideo/). Ask the author where tokens/session IDs are stored, how long they are retained, and whether they are encrypted. - Metadata mismatch: the registry metadata claimed no config paths, but SKILL.md lists a config path; the manifest also marks NEMO_TOKEN as required yet includes a fallback anonymous-token flow. These inconsistencies should be clarified by the publisher before you rely on the declared requirements. - Headers and attribution: the skill requires three custom headers on every request (X-Skill-Source/Version/Platform); the Platform header is to be auto-detected from an install path — confirm what path info will be read to form that header. If you need strict control over where tokens and video data go, request clarification from the skill author (token storage location/retention, exact upload endpoints, and a privacy/terms link). If you are comfortable with a third-party cloud render service and anonymous tokens, the skill's behavior is otherwise consistent with its purpose.

Review Dimensions

Purpose & Capability: noteName/description align with the runtime instructions: the skill routes uploads and edit requests to a nemo video backend and performs cloud rendering. Requiring a NEMO_TOKEN and a ~/.config/nemovideo/ config location is consistent with a cloud service client. However there's an inconsistency: the registry summary shows 'Required config paths: none' while the SKILL.md frontmatter declares configPaths ['~/.config/nemovideo/']. Also SKILL.md both declares NEMO_TOKEN as primary credential and provides a fallback anonymous-token flow when NEMO_TOKEN is missing — so the manifest's 'required' claim is overstated.
Instruction Scope: okThe instructions stay within the stated purpose: they describe auth, session creation, SSE messaging, file uploads (multipart or URL), rendering, polling, and error handling against the nemo API. The skill explicitly instructs the agent to read local video files for upload and to store session_id/token values (likely under the stated config path). It does not instruct reading unrelated system files or unrelated credentials. It also instructs not to display raw API responses or tokens to the user.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing in the manifest attempts to download or extract third-party code.
Credentials: noteOnly one credential is requested (NEMO_TOKEN), which is proportional for a cloud video editing service. Caveat: the manifest declares NEMO_TOKEN required but SKILL.md will auto-generate an anonymous token if NEMO_TOKEN is not present. The skill also references a config path (in SKILL.md) that may be used to persist session/token information; that access was not listed in the top-level registry metadata, which is an inconsistency worth clarifying.
Persistence & Privilege: okThe skill does not request 'always: true' and uses normal autonomous invocation defaults. It will store session state/token and may write under ~/.config/nemovideo/ per SKILL.md metadata; this is reasonable for a client that resumes sessions, but you should confirm how/where tokens and session IDs are stored and for how long.