Skillv1.0.0

ClawScan security

Video Editor Automatic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 12:17 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with an online auto-video-editing service: it only needs a service token, uploads user media to the specified backend, and has no install-time code or unusual credential asks.
Guidance: This skill will upload any video you give it to mega-api-prod.nemovideo.ai for processing, using a NEMO_TOKEN if present or obtaining a short-lived anonymous token if not. Before installing or invoking: (1) confirm you trust the nemovideo.ai domain and its privacy policy because your video content will leave your device, (2) be aware the skill may check a local config path or detect install locations for attribution headers (this can reveal some environment info), and (3) avoid sending sensitive or confidential footage unless you have verified the service and token handling. If you prefer not to expose files to an external service, do not grant NEMO_TOKEN or upload media through this skill.

Review Dimensions

Purpose & Capability: okName/description (auto-edit videos) aligns with the declared requirement (NEMO_TOKEN) and the SKILL.md which details uploading video files, creating a session, queuing render jobs, polling for results, and returning download URLs. Supported formats and size limits match the stated purpose.
Instruction Scope: noteRuntime instructions are scoped to interacting with the nemovideo.ai API: creating/using a token, uploading files, SSE for edits, polling state, and exporting renders. A minor note: the skill describes deriving an X-Skill-Platform header from an install path (e.g., ~/.clawhub/ or ~/.cursor/skills/) and declares a config path (~/.config/nemovideo/), which implies the agent might check those local paths for context — this is plausible for attribution/UX but is not strictly required for editing and could reveal local environment details.
Install Mechanism: okNo install spec or code files are present; this is instruction-only so nothing is written to disk or fetched during install.
Credentials: noteOnly one credential is required (NEMO_TOKEN) which is appropriate for an API-backed service. The skill also documents a fallback anonymous-token flow (POST to the provider) if no token is provided. The declared config path (~/.config/nemovideo/) could give the skill access to local config if the agent chooses to read it — expected but worth noting for privacy.
Persistence & Privilege: okalways is false and the skill doesn't request persistent platform-wide privileges. Autonomous invocation (default) is enabled but is normal for skills of this type.