Skillv1.0.0

ClawScan security

Opus Ai Video Editor Job · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 2:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video editing) matches most of its instructions, but there are small inconsistencies (metadata vs registry) and some privacy/operational behaviors you should understand before using it.
Guidance: This skill appears to do what it says (upload your video to a cloud backend for automated editing), but check a few things before using it: 1) Confirm you trust the domain (mega-api-prod.nemovideo.ai) and understand that your videos will be uploaded to that third party — don’t send sensitive footage unless you accept that. 2) Prefer providing a limited-scope or short-lived NEMO_TOKEN you control; if you don’t have one the skill will obtain an anonymous token for you automatically (functional but may still upload your data). 3) Ask the author to clarify the config path mention (~/.config/nemovideo/) and the install-path detection used to set X-Skill-Platform — those imply the agent may read install/config locations, which wasn’t declared elsewhere. 4) Because there is no source or homepage, consider requesting the service privacy/terms and a way to review or revoke tokens. If any of these points are unacceptable, do not install or provide your credentials.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform cloud video editing and requires a single API token (NEMO_TOKEN). That aligns with the listed API endpoints and upload/export workflow. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that the registry metadata did not declare — a minor incoherence about required config access.
Instruction Scope: noteInstructions are focused on connecting to a remote API, creating sessions, uploading media, streaming SSE events, and polling render status — all coherent with video-editing. The skill also instructs the agent to detect install path (e.g., ~/.clawhub/, ~/.cursor/skills/) to set an X-Skill-Platform header, which implies reading installation paths/locations; that file-system inspection is not declared in the top-level registry and is worth clarifying. The instructions tell the agent to upload user videos to a third-party backend (mega-api-prod.nemovideo.ai) — expected for this service but a privacy risk.
Install Mechanism: okThere is no install spec and no code files — this is instruction-only, so nothing is downloaded or installed by default. That reduces supply-chain risk.
Credentials: noteOnly one env var is required (NEMO_TOKEN), which is appropriate for an API-backed editor. The skill will also auto-request an anonymous token from the remote API if NEMO_TOKEN is not present; this is functional but means uploads can proceed without an explicit long-lived credential. The SKILL.md also references a config path (~/.config/nemovideo/) in its metadata but the registry listed no required config paths — inconsistent declaration.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent platform privileges. It does not attempt to modify other skills or system-wide settings in the instructions provided.