Skillv1.0.0

ClawScan security

Free Text Editor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 25, 2026, 3:13 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-based video editing service; nothing strongly out-of-scope or obviously malicious was found, though there are small inconsistencies and ambiguous persistence behavior you should review before installing.
Guidance: This skill appears to do what it says: it uploads user-supplied video files to nemovideo.ai, obtains or uses a NEMO_TOKEN, and returns rendered download URLs. Before installing: (1) confirm you are comfortable uploading videos to an external service (privacy/PII concern); (2) ask the publisher whether session tokens or the anonymous NEMO_TOKEN are stored persistently and where (the frontmatter mentions ~/.config/nemovideo/ but the registry metadata does not); (3) if you supply your own NEMO_TOKEN, treat it as sensitive (revoke it if needed); (4) verify the domain (mega-api-prod.nemovideo.ai) and review that service's privacy/terms; and (5) if you prefer, supply your own token instead of letting the skill auto-create one. If the publisher can clarify persistence behavior (in-memory only vs. on-disk) and the config-path mismatch, the remaining questions are minor.

Review Dimensions

Purpose & Capability: okThe skill is a cloud video text-editor and it asks only for a single service token (NEMO_TOKEN) and to communicate with nemovideo.ai endpoints. That credential and the described API calls are coherent with the stated purpose (uploading videos, editing via transcript, exporting rendered files). No unrelated cloud providers or system binaries are requested.
Instruction Scope: noteInstructions limit activity to the nemo backend: obtaining/using a token, creating a session, uploading video files, SSE chat, polling render status, and returning download URLs. It does not instruct reading arbitrary host files or other environment variables. The only scope ambiguity: the frontmatter references a config path (~/.config/nemovideo/) and the doc says to "store the returned session_id" but does not state whether this storage is temporary (in-memory) or persistent (on disk).
Install Mechanism: okNo install steps or external downloads are required—this is an instruction-only skill. That minimizes on-disk modifications and is proportionate for this kind of integration.
Credentials: noteDeclared primaryEnv is NEMO_TOKEN which is appropriate. The skill will also auto-acquire an anonymous token by POSTing to the service if NEMO_TOKEN is not set; this is consistent with the service's anonymous flow but means the skill can create credentials for short-lived usage without an explicit user-provided token. The frontmatter claims a config path (~/.config/nemovideo/) while the registry metadata indicated none — this mismatch is unexplained and could imply persistent storage that wasn't documented elsewhere.
Persistence & Privilege: notealways:false and normal autonomous invocation are fine. The only potential privilege/persistence issue is whether the skill writes session tokens or session_id to the user's config directory (~/.config/nemovideo/) or other persistent storage; the SKILL.md does not clearly specify where or whether data is persisted. If it does persist tokens locally, that increases the risk surface and you should know where/how it stores them and how to revoke them.