Skillv1.0.0

ClawScan security

Ai Video Editor For Instagram · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 6:20 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (cloud video editing) but contains metadata/instruction inconsistencies and requires sending user video files and tokens to an external API — review the remote endpoint and the config-path/token handling before installing.
Guidance: This skill sends your uploaded video files and session tokens to a remote service (https://mega-api-prod.nemovideo.ai) to perform editing — that is expected for a cloud editor, but you should confirm you trust that endpoint and its privacy/retention policies before installing. Note the SKILL.md mentions a local config path (~/.config/nemovideo/) even though the registry metadata did not — ask the publisher what the skill will read or write on disk. If you don't already have a NEMO_TOKEN, the skill will generate an anonymous token via an API call (100 credits, 7-day expiry) and store session IDs; clarify where session data or tokens are persisted. Because the source/homepage is unknown, prefer installing only if you can verify the publisher or review the skill source; avoid placing long-lived or high-privilege credentials in your environment for this skill. If you proceed, monitor network activity and review any files uploaded to the service for sensitive content before sending.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (Instagram video editing) align with the instructions to upload footage, create sessions, and request renders from a remote rendering API. Requesting a single API token (NEMO_TOKEN) is reasonable. However, the SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch is unexplained and should be clarified.
Instruction Scope: concernRuntime instructions direct the agent to POST files and messages to https://mega-api-prod.nemovideo.ai (including file uploads and session management) and to generate anonymous tokens when a token isn't provided. These actions are consistent with cloud editing, but the instructions also require adding attribution headers and 'auto-detect' an install path value for X-Skill-Platform (which may require inspecting agent/install paths or config). The skill tells the agent to 'save session_id' but doesn't define storage scope (memory vs persistent file). Overall the instruction set will transmit user video and metadata off-device and asks for access to system/install information in ways that are under-specified.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so it doesn't write binaries to disk or pull external packages during install — low install risk.
Credentials: noteOnly one environment variable (NEMO_TOKEN) is declared as required, which is proportional for an API-backed editor. However, SKILL.md frontmatter references a config path (~/.config/nemovideo/) that is not reflected in the registry's 'Required config paths' field — this inconsistency could indicate the skill expects to read local config files or cache tokens. The skill will also create anonymous tokens via an API call if no token is present.
Persistence & Privilege: noteThe skill is not force-included (always:false) and allows normal autonomous invocation. It instructs the agent to 'save session_id' but does not specify where or for how long; this may lead to persistent session state or orphaned jobs. No explicit request to modify other skills or system-wide settings is present.