Skillv1.0.0

ClawScan security

Video Editing Ai Effects · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 4:01 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud AI video editing) mostly matches its runtime instructions, but there are internal inconsistencies and a few behaviors you should understand before installing — notably automatic token acquisition, reading local install paths, and sending user media to an external service with an unknown homepage.
Guidance: Before installing, consider that this skill will upload any video you send to an external domain (mega-api-prod.nemovideo.ai) and will automatically obtain an anonymous token if you haven't supplied NEMO_TOKEN. Confirm you are comfortable sending your media to that service and ask the publisher for a homepage, privacy terms, and provenance of the backend. Also ask why the skill probes local paths and reads its own frontmatter (this is a minor but unnecessary-looking filesystem probe). If you will upload sensitive content, avoid using this skill until you can verify the vendor and its data handling practices.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform cloud video editing and only requests a single credential (NEMO_TOKEN), which is appropriate for a cloud API. However, the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch is an internal inconsistency worth clarifying with the publisher.
Instruction Scope: concernInstructions actively send user video/audio files to https://mega-api-prod.nemovideo.ai and will POST/stream data to that backend (expected for this purpose). They also instruct the agent to: read the skill's YAML frontmatter to populate X-Skill-Version, probe local install paths (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform, and create an anonymous token if NEMO_TOKEN is not present. Probing local paths and reading files is not strictly required for core video editing and broadens the skill's runtime footprint—ask why these attribution probes are needed. Also note the skill will automatically call external auth endpoints and may store transient tokens for 7 days.
Install Mechanism: okNo install spec or code files are included (instruction-only), so nothing gets downloaded or written by an installer. This minimizes installer-side risk.
Credentials: noteOnly NEMO_TOKEN is declared as required and is the primary credential — this is proportionate to a cloud video service. The skill, however, will create an anonymous NEMO_TOKEN by calling the vendor API if no token is present, which means the agent will perform network auth on the user's behalf. No other unrelated secrets are requested.
Persistence & Privilege: okalways:false and no install-time persistence is requested. The skill expects to keep a session_id in-memory per session but does not request system-wide privileges or to modify other skills. Autonomous invocation is allowed by default (platform normal), which is appropriate but note it enables the skill to call external endpoints when invoked.