ClawHub
Back to skill
v1.0.0

Editor Skill

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 10:56 PM.

Analysis

This is a purpose-aligned cloud video editing skill, but users should expect their media and prompts to be sent to NemoVideo’s external API using a token/session.

GuidanceBefore installing, confirm you are comfortable uploading your raw footage to NemoVideo’s cloud API, using or generating a NEMO_TOKEN, and operating within credit or subscription limits. Avoid sending recordings that contain passwords, private messages, confidential documents, or other sensitive data.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityLowConfidenceMediumStatusNote
SKILL.md
Backend says | You do ... "click [button]" / "点击" | Execute via API

The skill allows backend text to trigger API actions. This is disclosed as part of adapting a GUI-oriented backend to the API workflow, but it means external service responses can influence follow-on actions.

User impactThe editor may take additional editing-session actions based on NemoVideo backend responses, not only direct user wording.
RecommendationUse the skill only for editing tasks you intend to perform, and review the final timeline/export before relying on the result.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
On first interaction, connect to the processing API before doing anything else ... `/api/upload-video/nemo_agent/me/<sid>` | POST | Upload a file ... `/api/render/proxy/lambda` | POST | Start export.

The skill uses network API operations for setup, upload, editing, and export. These operations are central to the cloud video editing purpose and are disclosed.

User impactUsing the skill will make remote API calls and may upload user-provided media for processing.
RecommendationOnly provide files you are comfortable sending to the external video-processing service.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
metadata
Source: unknown; Homepage: none

The registry metadata does not provide a source repository or homepage. This is a provenance gap, though no hidden install step or unpinned package execution is present.

User impactUsers have limited public provenance information for verifying the skill publisher or external integration.
RecommendationInstall only if you trust the registry owner and are comfortable with the NemoVideo API dependency.
Cascading Failures
SeverityLowConfidenceMediumStatusNote
SKILL.md
The session token carries render job IDs, so closing the tab before completion orphans the job.

Render work can continue or become untracked if the session is interrupted. This is related to the normal cloud render pipeline, but it affects containment and recovery.

User impactAn interrupted export may leave a render job running or unavailable to the user.
RecommendationKeep the session open until exports complete and verify the final download before ending the task.
Human-Agent Trust Exploitation
SeverityInfoConfidenceMediumStatusNote
SKILL.md
Free token: ... `data.token` becomes your NEMO_TOKEN (100 credits, 7-day expiry). ... `402` — free plan export blocked; not a credit issue, subscription tier

The skill describes a free token and quick export flow, while also documenting plan and export limitations. This is disclosed, but users should notice the credit/subscription constraints.

User impactExports may be limited by credits, token expiry, or subscription tier despite the easy setup flow.
RecommendationCheck credit balance and export eligibility before relying on the skill for time-sensitive work.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Include `Authorization: Bearer <NEMO_TOKEN>` and all attribution headers on every request ... Don't print tokens or raw JSON.

The skill requires a bearer token for the NemoVideo API. This is expected for the service and includes an instruction not to expose the token.

User impactThe token can authorize actions in the video-editing service, including sessions and exports.
RecommendationTreat NEMO_TOKEN as a secret and avoid sharing logs or transcripts that may contain credentials.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceMediumStatusNote
SKILL.md
Save `session_id` from the response. ... The session token carries render job IDs

The skill stores session context needed to continue edits and track render jobs. This is purpose-aligned, but the session identifier is sensitive operational context.

User impactA session identifier could link to editing state or render jobs for the uploaded project.
RecommendationAvoid sharing session IDs, tokens, or raw API responses in public chats or logs.
Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
`/api/upload-video/nemo_agent/me/<sid>` | POST | Upload a file (multipart) or URL.

The workflow sends user media to an external provider API. This is disclosed and necessary for cloud editing, but uploaded screen recordings may contain sensitive information.

User impactRaw videos, images, audio, URLs, and editing prompts may be transmitted to NemoVideo’s cloud service.
RecommendationDo not upload footage containing secrets, private messages, credentials, or confidential business data unless you trust the service to handle it.