Skillv1.0.0

ClawScan security

Instagram Video Editor Fiverr · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 3:06 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a remote AI video-editing service; nothing requested is disproportionate to that purpose, though a couple of minor metadata and UX choices are worth noting before install.
Guidance: This skill appears to be what it says: a remote AI video editor that uses a NEMO_TOKEN to call nemovideo.ai. Before installing or using it, consider: (1) privacy — uploaded videos are sent to a third-party GPU backend; do not upload sensitive or private footage you wouldn't want processed remotely; (2) token handling — you can supply your own NEMO_TOKEN or allow the skill to create an anonymous 7-day token (the skill will hide token values from the user); if you need auditability, prefer providing and managing your own token; (3) billing/credits — the anonymous token supplies limited free credits; check the service's terms and any billing implications for extended use; (4) platform file access — the skill expects to upload files via paths or URLs, so confirm how your agent/platform exposes user file uploads. If these tradeoffs are acceptable, the skill's requirements are coherent with its stated purpose.

Review Dimensions

Purpose & Capability: noteThe skill is an Instagram video editor and requires a NEMO_TOKEN (service API token), which matches the described backend (nemovideo). Minor inconsistency: the registry metadata lists no required config paths, but the skill frontmatter references ~/.config/nemovideo/ — this is likely harmless (caching/session storage) but should be clarified.
Instruction Scope: noteSKILL.md instructs the agent to create/obtain anonymous tokens, create sessions, upload user-provided video files (multipart or URLs), poll render status, and include attribution headers. These instructions stay within the stated editing/rendering scope. Two things to notice: (1) the skill tells the agent to auto-generate and use an anonymous token if NEMO_TOKEN is not provided, and to 'don't display raw API responses or token values to the user' (this hides the created token/response details from the user); (2) uploads use local file paths (files=@/path) so the agent will need access to user-supplied files—expected but worth confirming how your platform surfaces uploads.
Install Mechanism: okInstruction-only skill with no install spec or code files — lowest installation risk. No downloads or third-party packages are requested.
Credentials: noteOnly a single credential (NEMO_TOKEN) is required, which is proportionate for calling the nemovideo API. The skill also supports automatically obtaining a temporary anonymous token (100 credits, 7 days) if none is present. Be aware the token grants the skill/backend the ability to create and manage render jobs and query credit balance; treat it like any API token.
Persistence & Privilege: okDoes not request persistent 'always' presence or system-level changes. It instructs storing a session_id for job management (normal for remote service sessions).