Skillv1.0.0

ClawScan security

Video Editing With Effects · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 7:01 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a cloud-based video-editing integration, but there are internal inconsistencies about required credentials/config paths and it will send user video files to an external, unverified backend — review before installing.
Guidance: This skill sends your video files and session tokens to an external API (mega-api-prod.nemovideo.ai). Before installing: (1) Confirm you trust that domain and its privacy/retention policy because uploads may include sensitive content. (2) Note the registry says NEMO_TOKEN is required but the skill will auto-create an anonymous token if one isn't set — ask the publisher which behavior is intended. (3) The SKILL.md references a local config path in frontmatter that the registry does not list; verify whether the skill will read/write ~/.config/nemovideo/. (4) If you need stronger guarantees, request the publisher's homepage, privacy policy, and a signed specification for token handling and data retention. If you cannot verify the backend/operator, avoid uploading confidential videos.

Review Dimensions

Purpose & Capability: noteThe skill's name and description align with its instructions: it routes uploads to a remote rendering API and returns edited videos. However the registry says NEMO_TOKEN is required, while the SKILL.md describes automatically obtaining an anonymous token if NEMO_TOKEN is not present — an inconsistency about whether that env var is truly required. The SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) even though registry metadata reported no required config paths.
Instruction Scope: okInstructions are narrowly scoped to creating/using a session, uploading video files, sending SSE edits, polling render status, and returning download URLs. The skill explicitly instructs the agent to upload local files (multipart or URL), include specific attribution headers, and to hide raw API responses/tokens from the user. Uploading local video files and transmitting them to the external API is expected for this purpose but is a privacy/security decision the user must accept.
Install Mechanism: okNo install spec and no code files — instruction-only. This minimizes disk-write risk. All runtime behavior is network calls to the stated backend.
Credentials: concernOnly one credential (NEMO_TOKEN) is referenced, which is proportionate to a cloud render service. However, the skill metadata/registry claims it is required while the runtime instructions describe auto-generating an anonymous token when absent — this mismatch should be clarified. The frontmatter also references a config path (~/.config/nemovideo/) not reflected in the registry metadata.
Persistence & Privilege: okalways is false and the skill does not request persistent installation or system-wide config changes. It does instruct storing a session_id for subsequent requests, which is normal session state for an API client.