Skillv1.0.0

ClawScan security

Video Editing Ai Tools Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 4:35 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are internally consistent with a cloud-based video-editing integration: it needs a single service token, calls an external render API, and has no install or extra credentials — but review privacy and file-upload behavior before use.
Guidance: This skill appears to do what it says: call a remote video-editing API using a NEMO_TOKEN and upload user-provided video files. Before installing or invoking it, consider these points: (1) Privacy: videos are uploaded to https://mega-api-prod.nemovideo.ai — confirm you are comfortable sending your content to that domain and review its privacy/security policies. (2) File uploads: ensure the agent only uploads files you explicitly provide in chat; do not allow it to read or upload arbitrary local files. (3) Token handling: the skill will accept an existing NEMO_TOKEN or obtain an anonymous token via the API — treat any tokens as sensitive. (4) Platform detection: the skill reads its own frontmatter and may check common install paths to set an X-Skill-Platform header; this is limited but be aware it accesses those paths. If you need higher assurance, ask the publisher for a homepage/privacy policy or use a known/trusted video-editing API instead.

Review Dimensions

Purpose & Capability: okName/description, required credential (NEMO_TOKEN), and the SKILL.md all describe a cloud video-editing service and the API endpoints and flows match that purpose. No unrelated credentials or binaries are requested.
Instruction Scope: noteInstructions are detailed and self-contained for interacting with the remote API (auth, session, upload, export, poll). Two things to note: (1) the skill instructs reading its YAML frontmatter and detecting install path (to populate X-Skill-Platform), which requires looking at known local paths; (2) upload instructions reference multipart form with a file path (files=@/path) — the agent should only upload files explicitly provided by the user. The SKILL.md does not ask for arbitrary system files or unrelated environment variables.
Install Mechanism: okThere is no install spec and no code files — this is instruction-only, so nothing is downloaded or written to disk by an installer. This is a low-risk install footprint.
Credentials: noteOnly one environment variable (NEMO_TOKEN) is declared as required and is the primary credential used to call the service, which is proportional. Minor inconsistency: the doc also documents an anonymous-token flow (POST to obtain a temporary NEMO_TOKEN) so requiring NEMO_TOKEN up-front is not strictly necessary but is explainable as an override for users who already have one.
Persistence & Privilege: okalways is false and there is no indication the skill requests permanent system privileges or modifies other skills. It will store session_id state for ongoing render jobs (expected for this use case).