Back to skill
Skillv1.0.0
ClawScan security
Video Editing App In Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 9:21 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are largely consistent with a cloud-based video-editing service, but there are small metadata/instruction inconsistencies and some privacy implications (automatic token creation and uploading of user videos) you should consider before installing.
- Guidance
- This skill behaves like a cloud video-editing front end: it uploads your video files to nemovideo.ai, obtains/stores an anonymous token if you don't provide one, and keeps a session id for subsequent requests. Before installing: (1) be aware your raw media will leave your machine and be processed by an external service; check the service's privacy/retention policy. (2) The skill can auto-generate and store NEMO_TOKEN and session_id — consider whether you want those credentials persisted by your agent. (3) Note a small metadata mismatch: the skill's frontmatter references a config path (~/.config/nemovideo/) that the registry listing did not; you may want the publisher to clarify. (4) If you require on-device editing or strict data residency, do not install. Otherwise this appears internally consistent with its stated purpose; verify the nemovideo.ai domain and terms if you plan to use it for sensitive content.
Review Dimensions
- Purpose & Capability
- okThe name/description (cloud AI video editing) matches the runtime instructions: creating a session, uploading video files, running SSE edits, and exporting rendered MP4s. Requiring a service token (NEMO_TOKEN) and calling the nemovideo.ai endpoints is proportional to the stated purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to automatically obtain an anonymous token if NEMO_TOKEN is not set, create and store a session_id, upload user video files to the remote render API, and forward SSE responses to the user. These actions are expected for a cloud editing workflow, but they do involve transmitting user media to an external service and storing a token/session for subsequent requests. The instructions also tell the agent to read the skill's YAML frontmatter and to detect an install path to set an X-Skill-Platform header — reading install path metadata is reasonable for attribution but will expose some local path info.
- Install Mechanism
- okThere is no install spec and no code files (instruction-only). That minimizes disk writes and unknown package installs. All external behavior is driven by HTTP calls described in SKILL.md.
- Credentials
- noteThe skill declares a single credential (NEMO_TOKEN), which is appropriate. It also describes how to automatically obtain an anonymous token from the service if the env var is absent. One small inconsistency: the top-level registry metadata lists no required config paths, while the SKILL.md frontmatter lists a configPaths entry (~/.config/nemovideo/). This mismatch should be clarified but does not necessarily indicate malicious intent.
- Persistence & Privilege
- notealways:false and normal autonomous invocation settings. The skill instructs storing a session_id and re-using the token, which implies some persistence of credentials/session state; this is expected for an API-backed workflow but means tokens/sessions might be persisted in the agent's storage. The skill does not request system-wide privileges or modification of other skills.