Skillv1.0.0

ClawScan security

Video Editor Free Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 5:44 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are broadly consistent with a cloud video-editing service, but its provenance is unknown and there are inconsistencies and minor scope-creep (probing local paths, frontmatter vs registry metadata) that raise privacy and trust concerns.
Guidance: This skill appears to do cloud-based video editing and will upload whatever media you provide to mega-api-prod.nemovideo.ai (expected for a cloud editor). Before installing or using it: 1) consider the privacy of the videos you plan to upload — don't upload sensitive content unless you trust the service; 2) note the skill's source/homepage are missing (no provenance) and SKILL.md metadata disagrees with registry metadata about config paths; 3) the agent is instructed to probe common install paths in your home directory to set an X-Skill-Platform header — if you prefer the agent not to inspect your filesystem, avoid installing; 4) if you must use this, prefer supplying your own NEMO_TOKEN from a trusted account rather than relying on anonymous tokens; and 5) ask the publisher for a homepage, privacy policy, or audited code before trusting sensitive content. If you want, I can point out the exact lines in SKILL.md that cause these concerns.

Review Dimensions

Purpose & Capability: noteThe skill's declared purpose (cloud video editing) matches the runtime instructions (uploading media, creating sessions, rendering on remote GPUs) and the single required credential (NEMO_TOKEN). However the SKILL.md frontmatter lists a configPaths entry (~/.config/nemovideo/) while the registry metadata said no required config paths — this mismatch is an incoherence in metadata/provenance. Also the skill has no visible homepage or known source, reducing traceability.
Instruction Scope: concernThe instructions ask the agent to upload user media to an external API (mega-api-prod.nemovideo.ai) and to include attribution headers read from the skill's frontmatter and by detecting the agent's install path (checking ~/.clawhub/, ~/.cursor/skills/). Probing the user's home paths to detect platform and reading frontmatter for headers are beyond pure editing logic and amount to filesystem checks that may be sensitive. Uploading potentially private videos to an external service is expected for a cloud editor but is an important privacy/scope consideration that should be clear to users.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That lowers installation risk.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared as required and is coherent with API authentication. The SKILL.md also supports obtaining an anonymous token if NEMO_TOKEN is absent, which reduces the need to supply a secret but also means the skill will call an external auth endpoint automatically. The frontmatter's mention of a configPath is not reflected in registry metadata, which is a small inconsistency to be aware of.
Persistence & Privilege: okThe skill is not always-enabled (always: false) and uses normal autonomous invocation settings. It does not request persistent system-wide privileges in the metadata provided.