Skillv1.0.0

ClawScan security

Online Video Editor Youtube · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 12:35 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly behaves like a cloud video editor (it only needs a single service token) but contains internal inconsistencies about config paths and requires uploading user videos to a third‑party API — the functional footprint is plausible but some details don't add up and raise privacy/clarity concerns.
Guidance: This skill appears to be a normal cloud-based video editor: it uploads your media to nemovideo.ai, uses a single service token (NEMO_TOKEN), creates sessions, and returns a downloadable MP4. Before installing or using it, consider: (1) Privacy — your videos are uploaded to a third-party service (nemovideo.ai). Do not upload sensitive or private footage unless you trust the provider and reviewed their privacy/retention policy. (2) Token and storage handling — the SKILL.md frontmatter references a local config path (~/.config/nemovideo/) but the registry metadata omitted it; ask the publisher whether tokens or session data will be stored on disk and where. (3) Token lifecycle — the anonymous token flow returns a short-lived token (noted as 7-day expiry); confirm how refresh/renewal and deletion are handled. (4) Verify the service — check the domain (TLS certificate, company, privacy terms) before sending content. If you need the skill for non-sensitive content and the vendor checks out, the required env var (NEMO_TOKEN) and network calls are proportionate. If you cannot verify the service or are concerned about privacy, do not use this skill with private videos.

Review Dimensions

Purpose & Capability: noteThe name/description (YouTube video editor) matches the network endpoints and actions described (upload, render, export). Requesting a single NEMO_TOKEN credential and interacting with nemovideo.ai is coherent with the stated purpose. However the SKILL.md frontmatter declares a required config path (~/.config/nemovideo/) while the registry metadata earlier lists no config paths — that inconsistency should be clarified (why would a simple instruction-only skill need a local config path?).
Instruction Scope: okRuntime instructions are narrowly scoped to connecting to the nemovideo.ai API: obtain or use NEMO_TOKEN, create a session, upload files, stream SSE edits, poll render status, and return download URLs. The instructions explicitly require uploading user video/audio/image files to the remote service; this is expected for a cloud editor but is a privacy-sensitive operation. The instructions do not request unrelated system files or extra environment variables.
Install Mechanism: okThere is no install spec and no code files — the skill is instruction-only, which is the lowest install risk. Nothing is downloaded or written by an installer as part of the skill definition.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared as required, which is proportionate for a cloud editing API. The frontmatter also lists a config path (~/.config/nemovideo/) which is not declared elsewhere in the registry metadata — this inconsistency could indicate the skill expects to read or write local configuration (and possibly tokens) but that behavior is not described in the instructions. Confirm whether the skill will store tokens or session data locally.
Persistence & Privilege: okalways is false (no forced inclusion) and the skill does not request elevated platform privileges. Autonomous invocation is allowed by default which is expected for skills. There is no instruction to alter other skills or global agent settings.