Skillv1.0.0

ClawScan security

Editing Video Ai Prompt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 9:01 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (AI video editing) matches most of its instructions, but there are metadata inconsistencies and a few opaque instructions (e.g., hiding technical details) that warrant caution before installing.
Guidance: This skill mostly behaves like a normal hosted-video-editing integration, but check a few things before installing: (1) Confirm the source of NEMO_TOKEN and prefer using a short-lived or anonymous token if possible — avoid pasting long-lived AWS/GCP/other platform credentials. (2) Ask the author to reconcile the metadata mismatch: the registry says no config paths are required but SKILL.md lists ~/.config/nemovideo/; do not allow access to that path unless you understand what it contains. (3) Be cautious about the instruction to 'keep technical details out of the chat' — request that the skill surface operation/status messages and errors so you can audit activity. (4) Verify the API host (mega-api-prod.nemovideo.ai) and look for a homepage, privacy policy, or published API docs before sending private footage. If you need higher assurance, request the skill maintainer provide a homepage, publish the API spec, or run the integration under a restricted test account/tokens first.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform cloud-based AI video editing and requests a NEMO_TOKEN, which is appropriate for a hosted API. However the SKILL.md frontmatter declares a required config path (~/.config/nemovideo/) while the registry metadata above the file lists no required config paths — this mismatch is unexplained and could mean the skill expects local config/credentials that are not documented in the registry entry.
Instruction Scope: noteRuntime instructions are concrete and focused on the editing workflow (create session, upload video, SSE for edits, poll export). They require network calls to https://mega-api-prod.nemovideo.ai and specify exact endpoints and headers. One thing to flag: the guide tells the agent to 'keep the technical details out of the chat' which reduces transparency of what the agent is doing and could hide diagnostic or security-relevant info from users.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This is the lowest-risk install mechanism since nothing is downloaded or written by an installer. The runtime will make network requests only when invoked.
Credentials: concernThe only declared credential is NEMO_TOKEN (primary credential), which is reasonable for a hosted video-editing API. However the SKILL.md frontmatter also references a config path (~/.config/nemovideo/) that could contain additional credentials or settings; the registry metadata contradicts this (it listed no required config paths). That inconsistency is disproportionate and should be clarified before granting access to local config files or long-lived tokens.
Persistence & Privilege: okalways is false and the skill is user-invocable with normal autonomous invocation. It does not request permanent presence or system-wide configuration changes in the provided instructions.