Skillv1.0.0

ClawScan security

Ai Video Editor Holi · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 16, 2026, 3:37 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud video-editing service — it needs a single service token and uploads user video to the nemo video backend — but there are a few small privacy/clarity issues to review before installing.
Guidance: This skill appears to do what it says: it uploads your videos to nemo's cloud API and returns edited outputs. Before installing, consider: (1) Privacy — your videos (and any embedded audio/text) will be sent to a third‑party endpoint (mega-api-prod.nemovideo.ai). Only proceed if you are comfortable with that. (2) Token handling — the skill uses a NEMO_TOKEN (or will request an anonymous token). Confirm where that token is stored and revoke it after use if you have concerns. (3) Local config path — metadata lists ~/.config/nemovideo/ but the instructions don’t explain reading it; ask the publisher whether the skill will read local config files and what sensitive data they may contain. (4) Verify domain legitimacy — confirm the backend domain is expected by the service you intend to use. If any of these are unclear, ask the skill author for clarification before installing.

Purpose & Capability: okName/description match the behavior: the skill uploads video clips and calls a cloud rendering API. Requiring a NEMO_TOKEN credential is proportionate for authenticating to the nemo backend.
Instruction Scope: noteSKILL.md instructs the agent to POST uploads, open sessions, stream SSE, poll export status, and optionally obtain an anonymous token if NEMO_TOKEN is absent. These actions are necessary for the described cloud render workflow, but they will send user video files and metadata to an external API (mega-api-prod.nemovideo.ai) — users should be aware of that data flow.
Install Mechanism: okInstruction-only skill with no install spec or code files; nothing is written to disk by the skill itself. This is low-risk from an install perspective.
Credentials: noteThe skill only requests a single credential (NEMO_TOKEN), which fits its purpose. However the metadata also lists a config path (~/.config/nemovideo/) — the SKILL.md does not explicitly describe reading that file, so it's unclear whether the platform will be allowed to read local config for an existing token. Clarify whether the skill will read that path and what it contains.
Persistence & Privilege: okalways is false and there is no install step that modifies other skills or system settings. The skill can be invoked autonomously by the agent (platform default), which is expected behavior for a service integration.