Skillv1.0.0

ClawScan security

Movie Maker Com Free Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 4:51 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested data, API calls, and runtime instructions are consistent with a cloud video-editing tool and do not demand unrelated credentials or risky installs, but you should be aware it uploads your videos to an external service and performs some local path checks for attribution.
Guidance: This skill appears internally coherent for a cloud-based video editor: it needs a NEMO_TOKEN (or it will obtain an anonymous token from the declared API) and will upload your video files to mega-api-prod.nemovideo.ai for processing. Before installing/using: 1) Confirm you trust the remote service (no homepage/source is provided here). 2) Understand that any video you upload will be sent to that external server — avoid uploading sensitive or private footage. 3) Prefer creating a scoped anonymous or service token rather than putting broader secrets in your environment. 4) Note the skill may check a few local paths to set attribution headers; if you’re uncomfortable with filesystem checks, ask the author to remove or limit that behavior. 5) The registry/frontmatter mismatch about config paths is minor but worth clarifying with the publisher. If you want stronger assurance, request the service's privacy/security docs or a published source/homepage before use.

Review Dimensions

Purpose & Capability: okThe name/description say this is a cloud AI video editor and the SKILL.md instructs network calls to a video-rendering backend and file uploads — requiring a NEMO_TOKEN is coherent with that purpose. Minor inconsistency: the SKILL.md frontmatter metadata includes a config path (~/.config/nemovideo/) for the service, while the registry metadata reported no required config paths; this is probably a documentation mismatch but not a functional mismatch with the stated purpose.
Instruction Scope: noteMost instructions stay within video-editing tasks (session creation, SSE streaming, upload, export polling). The skill asks the agent to read the file's YAML frontmatter at runtime and to detect install path(s) (~/.clawhub/, ~/.cursor/skills/) to build attribution headers — this requires checking local filesystem paths. That filesystem probing is small in scope (checking for known install directories) but is outside pure video-processing logic and worth noting.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This is the lowest-risk install surface; nothing will be downloaded or written by an installer step.
Credentials: noteOnly NEMO_TOKEN is required (declared primary credential). The SKILL.md also supports generating an anonymous token via the service's anonymous-token endpoint if no NEMO_TOKEN is present, which is proportionate. Be aware the skill will include Authorization: Bearer <NEMO_TOKEN> and other attribution headers on every request. The frontmatter's explicit configPaths reference (~/ .config/nemovideo/) is not strictly necessary for basic operation and is a minor documentation inconsistency to verify.
Persistence & Privilege: okalways is false and there is no installer requesting persistent system changes. The skill keeps a session_id in-memory for job tracking (normal). It does instruct that orphaned cloud jobs may continue if you close the client, which is expected for a remote render service.