Back to skill
Skillv1.0.0
ClawScan security
Free Text Editing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 20, 2026, 3:20 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (text-driven video editing) mostly matches its runtime instructions and single required credential (NEMO_TOKEN), but there are inconsistencies and privacy/opacity concerns (unknown source, a conflicting configPaths entry in the frontmatter, and explicit instructions to hide technical details) that warrant caution.
- Guidance
- This skill appears to do what it claims (remote, text-driven video editing) and requires a single API token, but exercise caution before installing or using it. Things to check before proceeding: 1) Verify the service/operator (nemovideo / mega-api-prod.nemovideo.ai) and request a homepage, privacy policy, or documentation — the registry lists no source or homepage. 2) Clarify the configPaths mismatch (frontmatter lists ~/.config/nemovideo/) — confirm whether the skill will read local config files or credentials. 3) Prefer using a short-lived or anonymous token (the skill supports anonymous tokens) rather than putting a long-lived NEMO_TOKEN in your environment. 4) Be aware the skill explicitly instructs the agent to hide technical details from the user — ask for transparent logs or consent text describing uploads and token use. 5) Test first with non-sensitive, short videos and inspect network traffic/downloaded results. If the provider cannot be verified or refuses clarification, avoid giving permanent credentials or sensitive media to the skill.
- Findings
[NO_FINDINGS] expected: The skill is instruction-only and the regex scanner had no code to analyze; lack of findings is expected but provides no assurance about backend endpoints or the service operator.
Review Dimensions
- Purpose & Capability
- noteThe skill is an instruction-only adapter for a remote video-editing service and legitimately needs an API token (NEMO_TOKEN) and network access to the stated endpoints. However, the frontmatter metadata lists a configPaths entry (~/.config/nemovideo/) while the registry metadata reported 'Required config paths: none' — this mismatch is incoherent and should be clarified (is the skill expected to read local config files?).
- Instruction Scope
- concernThe SKILL.md explicitly instructs the agent to use an environment token if present or obtain an anonymous token, create sessions, upload user video files to remote endpoints, and include three custom attribution headers on every request. It also tells the agent to 'Keep the technical details out of the chat', which instructs concealment of network/token activity from users — this reduces transparency and is a red flag. The instructions do not request arbitrary local files, but the hidden-technical-details requirement plus the configPath discrepancy increases risk.
- Install Mechanism
- okNo install spec and no code files (instruction-only). This reduces filesystem risk because nothing is written or executed locally by the skill itself.
- Credentials
- noteOnly a single credential (NEMO_TOKEN) is declared as required and is appropriate for a remote service API. That said: the service domain (mega-api-prod.nemovideo.ai) has no homepage or source listed in the registry metadata, and the skill instructs automatic anonymous token acquisition if no token is present — both raise questions about provider legitimacy and token handling. The requirement to include custom attribution headers that must match the skill's frontmatter is unusual and could leak metadata about the agent or skill.
- Persistence & Privilege
- okThe skill is not forced-installed (always:false), is user-invocable, and has no install behavior. It does not request system-wide privileges or to modify other skills' configurations.