Skillv1.0.0

ClawScan security

One Video Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 4:27 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud video-processing integration that uses a single service token; nothing in the SKILL.md asks for unrelated credentials or system-wide access.
Guidance: This skill appears coherent for a cloud video-editing integration that uses a single API token (NEMO_TOKEN). Before installing: 1) Confirm you trust the domain (https://mega-api-prod.nemovideo.ai) because your uploads and any generated tokens will be sent there. 2) Understand that uploads require access to user-supplied file paths (the tool will read files you choose to upload). 3) The SKILL.md frontmatter references a config path (~/.config/nemovideo/) even though the registry metadata didn't — ask the publisher whether the skill expects local config files. 4) The skill provides a flow to mint an anonymous token; if you prefer, set your own NEMO_TOKEN rather than using anonymous provisioning. 5) The skill asks not to print tokens — ensure your agent follows that. If you need higher assurance, request the publisher's homepage/source or ask for a code-backed skill (not instruction-only) so you can review network calls and headers in detail.

Review Dimensions

Purpose & Capability: okThe name/description (AI video editing for uploaded footage) matches the runtime instructions: endpoints for session creation, upload, SSE-based editing, render/export, and a single service token (NEMO_TOKEN). No unrelated cloud providers, admin credentials, or system binaries are requested.
Instruction Scope: noteInstructions require uploading user-provided files (multipart upload or supplying a URL) and interacting with SSE/polling flows — which is expected. The skill also instructs detecting an install path for X-Skill-Platform and reading its own YAML frontmatter for attribution; this implies reading known locations (own skill file / install path) and accessing user-supplied file paths for upload. There is no directive to read arbitrary unrelated files or other credentials.
Install Mechanism: okThis is an instruction-only skill with no install spec or code to download; nothing will be written to disk by an installer step. Lowest-risk install model.
Credentials: noteOnly NEMO_TOKEN is declared as required (primary credential), which fits the API usage. Minor inconsistency: the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths — either the registry omitted it or the frontmatter is stale. The stated config path is service-specific (not a system-wide auth store), but you may want clarification.
Persistence & Privilege: okalways is false and the skill does not request system-wide modifications or to persist credentials beyond typical session tokens. Autonomous invocation is allowed (platform default) but is not combined with broad credentials or persistent privileges.