Skillv1.0.0

ClawScan security

Free Video Editor Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 5:18 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud AI video editing) matches its runtime instructions and minimal requirements; it asks only for a service token and operates entirely via the service's API with no installable code.
Guidance: This skill appears internally consistent for a cloud-based AI video editor. Before installing, verify the API host (mega-api-prod.nemovideo.ai) is expected and trustworthy for your organization, and avoid uploading sensitive or private footage to an unknown third-party service. Note the skill will look for or create a NEMO_TOKEN (an access token) and may read ~/.config/nemovideo/ or detect install paths for attribution — if you prefer control, pre-create or provide a limited token or use an account with only the permissions/credits you want to grant. Because it is instruction-only, no code will be installed locally by the skill itself, but the agent will make network calls to the listed endpoints. If you want higher assurance, ask the skill author for the service's privacy/retention policy and an explicit explanation of what data is stored and for how long.

Review Dimensions

Purpose & Capability: okName/description describe a cloud-based AI video editor and the skill's instructions call the nemo video API, require a NEMO_TOKEN, and reference a nemo config path — these are coherent with the stated purpose. Minor note: the metadata marks NEMO_TOKEN as required but the SKILL.md also documents creating an anonymous token if none is present; this is plausible but slightly inconsistent with a strict "required env var" declaration.
Instruction Scope: okInstructions are specific to the nemo-video backend: session creation, SSE messaging, uploads, polling job state, and export. They instruct network calls to the declared API host and describe how to upload files (multipart or by URL). The skill asks the agent to read this file's YAML frontmatter and detect install path for attribution headers — both reasonable for attribution but do involve reading local install path/config. No instructions request unrelated system credentials or to exfiltrate data outside the declared API.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This is the lowest-risk install mechanism because nothing is written to disk by the skill itself.
Credentials: noteOnly a single credential (NEMO_TOKEN) is declared as primary, which is proportional to a cloud editing service. However, SKILL.md documents automatically obtaining an anonymous NEMO_TOKEN by calling the service's anonymous-token endpoint if none is present; that behavior is reasonable but means the skill can create and use a token itself rather than strictly relying on an existing user-supplied token. The skill also references a config path (~/.config/nemovideo/) which is plausible for storing service credentials/state.
Persistence & Privilege: okThe skill is not force-enabled (always:false) and does not request system-wide changes or modification of other skills. It uses ephemeral session tokens for rendering jobs and does not include any instructions to persistently modify agent configuration.