Skillv1.0.0

ClawScan security

Video Editor Internship · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 3:21 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a cloud video-editing service, but there are inconsistencies about where credentials/config are stored and it will auto-create/use an anonymous token and connect to a third‑party backend automatically — worth reviewing before install.
Guidance: This skill appears to be a cloud video-editing frontend and will upload any files you provide to https://mega-api-prod.nemovideo.ai and create/use a short‑lived anonymous token if you don't supply NEMO_TOKEN. Before installing/using it: 1) Confirm you trust the backend domain and owner (no homepage/source provided). 2) Decide whether you want the agent to auto-connect and auto-generate a token — if not, set a disposable NEMO_TOKEN yourself. 3) Ask where session IDs/tokens will be stored (memory vs a file under ~/.config/nemovideo/) and whether uploads or rendered files are retained on the service. 4) Avoid uploading secrets or private material until you verify the provider's privacy/retention policy. The main technical inconsistency is the undeclared config path in the SKILL.md frontmatter; ask the maintainer to clarify storage behavior before proceeding.

Review Dimensions

Purpose & Capability: noteThe name/description describe a cloud video editing service and the runtime instructions call a remote video-rendering API (upload, render, export), so required NEMO_TOKEN and network access are coherent. However, SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata says no required config paths — this mismatch is unexplained.
Instruction Scope: concernInstructions direct the agent to automatically connect to mega-api-prod.nemovideo.ai, obtain an anonymous token if NEMO_TOKEN is not set, create sessions, upload user files, and poll SSE endpoints. Automatic backend connection and anonymous-token generation happen on first open (without an explicit user-initiated action beyond opening the skill), and the doc instructs storing tokens/session IDs but does not specify where or how. These behaviors are expected for this service but expand the agent's network activity and local persistence surface; the automatic token creation/storage is a potential surprise to users.
Install Mechanism: okInstruction-only skill with no install spec or code files — lowest install risk (nothing is written by an installer). All runtime interactions are via HTTP to the declared backend.
Credentials: noteOnly one credential is required (NEMO_TOKEN), which matches the described backend. The skill includes a flow to obtain an anonymous NEMO_TOKEN automatically; that is plausible. The SKILL.md metadata also references a config path for nemovideo config which the registry did not list as required — if the agent actually writes tokens to disk, that should be clearly declared and justified. No other unrelated secrets are requested.
Persistence & Privilege: noteThe skill does not request always:true and does not declare system-wide privileges. However, it tells the agent to store session IDs and token values for reuse (location unspecified) and includes an implicit config path in its frontmatter — potential persistent state that should be clarified before use.