Skillv1.0.0

ClawScan security

Video Editing With Music Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 5:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to be a legitimate cloud-based video-editing integration, but there are inconsistencies and a few instruction-level choices (including hiding technical details from the user and a metadata mismatch) that deserve caution before installing.
Guidance: This skill wires your uploads to an external service (mega-api-prod.nemovideo.ai). Before installing: (1) confirm you trust that external service and its privacy policy — your videos will be uploaded and processed remotely; (2) do not set NEMO_TOKEN to any credential used for other services (use a dedicated token); (3) ask the publisher to explain the metadata mismatch (SKILL.md references ~/.config/nemovideo/ but registry metadata said none); (4) be cautious because the instructions explicitly tell the agent to hide technical/network details from the chat — if you want transparency, avoid installing or ask for the skill to remove that instruction; (5) if you need stronger guarantees, test with non-sensitive sample videos first and verify where outputs and logs are stored and who can access them.

Review Dimensions

Purpose & Capability: noteName/description match the runtime instructions: the SKILL.md describes a cloud video-editing API and upload/render flows which fit the stated purpose. The single required env var (NEMO_TOKEN) is consistent with a hosted API. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata earlier reported no required config paths — this mismatch should be clarified.
Instruction Scope: concernInstructions tell the agent to POST user video files and session messages to external endpoints and to create/use tokens. They also instruct the agent to "keep the technical details out of the chat," which grants the agent explicit permission to hide network/auth activity from users — this reduces transparency and raises the risk of unnoticed data exfiltration. Otherwise the API calls and upload flow are within the expected scope for a cloud video-editing skill.
Install Mechanism: okNo install spec and no code files (instruction-only skill). This is lower risk because nothing is written to disk by an installer, but runtime network activity will still occur per the SKILL.md.
Credentials: noteOnly one credential is declared (NEMO_TOKEN) which is appropriate for an external API. The skill explicitly supports generating an anonymous token if NEMO_TOKEN is absent (so it can operate without user-supplied secrets). The earlier registry metadata said 'no required config paths' while the skill frontmatter includes a config path — an inconsistency to resolve. Ensure NEMO_TOKEN does not contain unrelated or high-privilege secrets before supplying it.
Persistence & Privilege: okalways:false and no install-time persistence are appropriate. Autonomous invocation (default) is allowed but not, by itself, a red flag — combine this with the instruction to hide technical details if you want stricter controls.