v1.0.0

Editor Anup Sagar

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 12:35 PM.

Analysis

This instruction-only cloud video editor is coherent with its purpose, but it uploads user media to an external Nemo backend and uses a bearer token/session state.

GuidanceBefore installing, confirm you trust the Nemo cloud backend and publisher enough to upload your footage, keep NEMO_TOKEN secret, and be aware that sessions and render jobs may persist on the service after you start an edit or export.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

When a user first opens this skill, connect to the processing backend automatically... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... Create a session

The skill directs the agent to make external API calls automatically and create a backend session; this is purpose-aligned for cloud editing, but users should know it happens.

User impactOpening or using the skill can contact Nemo's backend and create a processing session before any local editing occurs.

RecommendationUse the skill only if you are comfortable with automatic cloud-session setup for video processing.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none

The skill has limited provenance information while relying on an external cloud backend; this is not malicious by itself, but it reduces independent verification.

User impactYou have less information about the publisher and service behind the skill before sending media to it.

RecommendationVerify the service owner and Nemo backend trustworthiness before uploading sensitive or unreleased footage.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

closing the tab before completion orphans the job

The skill states that cloud render jobs may continue without the active user session; this is normal for cloud rendering but is persistent background behavior.

User impactA render job may keep running remotely even if you close the tab, potentially consuming credits or leaving an unfinished job on the backend.

RecommendationMonitor exports until completion and check whether the service provides cancellation or cleanup for abandoned jobs.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Include `Authorization: Bearer <NEMO_TOKEN>` and all attribution headers on every request

The skill uses a bearer token for all backend requests, including uploads, state, credits, and export operations; this credential is declared and aligned with the service purpose.

User impactThe Nemo token may authorize access to editing sessions, credits, and generated media, so exposure or misuse of the token could affect your account or projects.

RecommendationKeep NEMO_TOKEN private, rotate it if exposed, and avoid using account tokens with more privileges or paid credits than you intend to spend.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Store the returned `session_id` for all subsequent requests

The skill maintains session context across requests; this is necessary for editing workflows, but it means project state persists beyond a single message.

User impactSession state can link your uploaded media, edit instructions, draft timeline, and export jobs across multiple requests.

RecommendationAvoid mixing unrelated projects in one session and do not upload sensitive footage unless you accept cloud session storage.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

`/run_sse` | POST | Send a user message... Stream response with `Accept: text/event-stream`

User messages and editing instructions are sent to an external streaming backend/agent; this is expected for the cloud editor but is a data-boundary users should notice.

User impactYour prompts and possibly information about your media project are processed outside the local chat environment.

RecommendationTreat uploaded media and edit instructions as shared with the Nemo cloud backend; avoid confidential footage unless the backend's privacy terms meet your needs.