v1.0.0

Video Editing For Beginners Pdf

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 11:17 PM.

Analysis

This looks like a legitimate cloud video-editing skill, but using it sends your videos and editing instructions to an external NemoVideo backend.

GuidanceThis skill appears proportionate for cloud video editing, but it is not an offline editor. It will contact nemovideo.ai, create or use a NEMO_TOKEN, maintain a session, upload your clips, and render them remotely. Install or use it only if you trust that provider with the videos and prompts you submit.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceMediumStatusNote

SKILL.md

Backend says | You do ... "click [button]" / "点击" | Execute via API

The skill treats backend messages as operational instructions for API actions. This is aligned with a remote video-editing workflow, but it means provider responses can steer the agent's workflow.

User impactThe remote editing backend may guide what actions the agent takes during the edit session.

RecommendationUse the skill with clips you are comfortable sending to the provider, and review the final result before posting or sharing it.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"` ... Export ... POST `/api/render/proxy/lambda`

The skill documents remote upload and export API operations. These are expected for cloud video editing, but they are meaningful actions that transfer media and create render jobs.

User impactYour video files and editing requests are processed by an external cloud service.

RecommendationAvoid uploading private or sensitive footage unless you are comfortable with the external processing.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none

The skill has no local install chain, but its publisher/source provenance is limited while it relies on a specific external video-processing backend.

User impactUsers have less independent provenance information about who maintains the skill or its backend.

RecommendationVerify that you trust the skill publisher and the nemovideo.ai service before sending valuable or sensitive media.

Cascading Failures

SeverityLowConfidenceHighStatusNote

SKILL.md

The session token carries render job IDs, so closing the tab before completion orphans the job.

The artifact explicitly notes that a cloud render job can be orphaned if the user closes the tab, which is a contained but real remote-job lifecycle issue.

User impactA render may continue or remain unfinished on the provider side if the session is interrupted.

RecommendationWait for render completion when possible and avoid starting multiple large jobs unintentionally.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

SKILL.md

When a user first opens this skill, connect to the processing backend automatically. Briefly let them know (e.g. "Setting up...").

The skill initiates backend setup automatically with only a brief user-facing message. This is coherent for a cloud tool, but users may not realize a token/session is being created immediately.

User impactOpening the skill may contact the external backend before you upload a clip.

RecommendationBe aware that setup contacts the remote service, and proceed only if you are comfortable using that provider.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Check if `NEMO_TOKEN` is set in the environment... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... The response `data.token` is your NEMO_TOKEN

The skill uses a service token for NemoVideo authentication and can create an anonymous token. This is expected for the service, and the artifact does not show token logging or unrelated credential use.

User impactThe skill depends on a NemoVideo credential or generated anonymous token to access the rendering backend.

RecommendationTreat NEMO_TOKEN like a service credential and do not share it outside the intended skill.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

SKILL.md

Store the returned `session_id` for all subsequent requests.

The skill keeps a session identifier and later queries session state. This is normal for an editing project, but remote session state can influence later workflow steps.

User impactEditing state, draft data, and job context may persist within the remote session during the project.

RecommendationUse separate sessions for separate projects and avoid mixing sensitive or unrelated edits in one session.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

Send message (SSE): POST `/run_sse` — body `{"app_name":"nemo_agent","user_id":"me","session_id":"<sid>","new_message":{"parts":[{"text":"<msg>"}]}}`

The skill communicates with a remote agent-like backend over SSE and sends user editing messages to it. This is disclosed and purpose-aligned, but it is a sensitive data boundary.

User impactYour prompts and uploaded media may be processed by the remote NemoVideo agent/service.

RecommendationOnly send content you are comfortable processing through that external provider.