Editor Name
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent cloud video-editing skill, but users should know it uploads selected media and prompts to Nemovideo.ai and uses a bearer token or anonymous credits.
This skill appears purpose-aligned for cloud video editing. Install or invoke it only if you are comfortable sending selected media and prompts to Nemovideo.ai, using a NEMO_TOKEN or anonymous credits, and letting cloud render jobs run until completion.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Videos, audio, images, and prompts provided for editing may be processed by Nemovideo.ai rather than staying local.
The skill clearly sends user media and edit instructions to a named external provider for cloud processing. This is purpose-aligned, but privacy-relevant.
This tool takes your raw footage and runs AI video editing through a cloud rendering pipeline. You upload, describe what you want, and download the result. ... All calls go to `https://mega-api-prod.nemovideo.ai`.
Use it only with files you are comfortable uploading to that provider, and review the provider's privacy and retention practices for sensitive footage.
The skill may use your NemoVideo token or anonymous credits when creating sessions, uploading media, or exporting videos.
The skill uses a provider bearer token or automatically obtains an anonymous starter token. This is expected for the service, but it can consume credits and represents delegated account access.
If `NEMO_TOKEN` is in the environment, use it directly ... Otherwise, acquire a free starter token ... All requests must include: `Authorization: Bearer <NEMO_TOKEN>`.
Confirm you intend to use this provider token, monitor credit usage, and unset or revoke the token if you do not want the skill to use it.
An export may continue in the provider backend or become difficult to recover if the session is closed before completion.
Cloud render jobs can outlive the immediate chat/tab state. This is part of the render workflow, but users should be aware that interrupted jobs may continue or become hard to track.
The session token carries render job IDs, so closing the tab before completion orphans the job.
Start exports intentionally, wait for completion when possible, and use the provider's cancellation or account controls if a job should not continue.
You have less registry-provided information for verifying who maintains the skill or the provider integration.
The skill has limited provenance information in the provided registry metadata. There is no install-time code here, so this is not by itself suspicious, but it reduces independent verifiability.
Source: unknown; Homepage: none
Verify the publisher and the Nemovideo.ai service independently before uploading sensitive media or relying on the integration for important work.