Skillv1.0.0

ClawScan security

Video Editing With Nodes · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 10:05 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based video-editing integration and mostly proportionate, but there are small metadata inconsistencies and clear privacy implications (user video files are uploaded to an external service) you should be comfortable with before installing.
Guidance: This skill appears to do what it says: it uploads the videos you drop into the chat to an external cloud service (mega-api-prod.nemovideo.ai) for node-based editing and returns downloadable outputs. Before installing: 1) be comfortable with uploading your video content to that external service and review its privacy/terms, 2) prefer supplying your own NEMO_TOKEN if you have an account rather than using the anonymous token flow, 3) confirm the endpoint hostname is legitimate and trusted, and 4) ask the skill author to resolve the small metadata mismatch (SKILL.md lists ~/.config/nemovideo/ but registry metadata omitted config paths) so you know whether the skill will read a local config file for stored tokens.

Review Dimensions

Purpose & Capability: okThe name/description (node-based cloud video editing) align with required artifacts: a single service token (NEMO_TOKEN) and API calls to nemovideo.ai for session creation, uploads, renders, and status. Asking for a service token is expected for a cloud editor.
Instruction Scope: noteSKILL.md instructs the agent to create sessions, upload user video files, send SSE edits, poll render status, and return download URLs — all within the described purpose. It also instructs generating an anonymous token if NEMO_TOKEN is missing. Note: this will upload user media to an external API (mega-api-prod.nemovideo.ai), which is expected for cloud editing but has privacy implications. The file describes attribution headers and an 'auto-detect' platform value (which implies reading install path or environment), which is operationally reasonable but gives the agent extra system-sensing scope.
Install Mechanism: okInstruction-only skill with no install spec and no code files. Nothing will be written to disk by an installer; runtime behavior is purely API calls, so install risk is low.
Credentials: noteOnly NEMO_TOKEN is declared as required, which is proportionate. SKILL.md also offers an anonymous-token flow (POST to /api/auth/anonymous-token) and instructs using that token as NEMO_TOKEN if none exists. The frontmatter in SKILL.md references a config path (~/.config/nemovideo/) where existing credentials might be found — the registry metadata shown earlier did not list config paths, so there is an inconsistency to clarify. Requiring a single service token is reasonable; do not provide unrelated credentials.
Persistence & Privilege: okalways:false (no forced always-on). The skill does not request system-wide privileges or control of other skills. Autonomous invocation is allowed by default but not excessive here.