Back to skill
Skillv1.0.0
ClawScan security
Video Cli Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 4:26 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with a cloud-based video-editing CLI: it needs a NEMO_TOKEN (or will obtain an anonymous one), talks to nemovideo.ai endpoints, and contains no install or local binary requirements.
- Guidance
- This skill is internally consistent for a cloud-based video-editing CLI: it will send your uploaded videos to mega-api-prod.nemovideo.ai and needs a NEMO_TOKEN (or will obtain a 7‑day anonymous token). Before installing, consider privacy and trust: do you want these video files uploaded to that remote service? Review the service's terms/privacy and only supply a persistent NEMO_TOKEN if you trust it. Note the SKILL.md will read its YAML frontmatter and detect install paths for attribution headers (harmless but it does access local paths). There is no install script or local binary, which reduces installation risk. If you want extra caution, avoid providing a permanent NEMO_TOKEN and monitor network uploads or run the skill in an environment with non-sensitive test videos first.
Review Dimensions
- Purpose & Capability
- okName/description (cloud CLI video edits) match the actions described in SKILL.md: session creation, uploads, SSE editing, export and polling on https://mega-api-prod.nemovideo.ai. Requesting a NEMO_TOKEN (and providing a flow to obtain an anonymous token) is proportional to a cloud backend integration. Minor metadata mismatch: registry metadata listed no config paths, but the SKILL.md frontmatter mentions ~/.config/nemovideo/ (small inconsistency).
- Instruction Scope
- noteInstructions are explicit and focused on the video-editing workflow (token check, session creation, upload, SSE, export polling). The skill will read NEMO_TOKEN from the environment, may call the anonymous-token endpoint if absent, will read this file's YAML frontmatter at runtime, and will detect install path to populate attribution headers. These file/path reads are limited and tied to attribution or local config; they are within the stated purpose but worth noting because they cause the agent to access some local paths and the SKILL.md itself.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). That minimizes risk from arbitrary installs or disk writes.
- Credentials
- okOnly one credential is required: NEMO_TOKEN (declared as primary). The SKILL.md also implements a reasonable anonymous-token flow if the env var is missing. No unrelated secrets, no surplus environment variables requested.
- Persistence & Privilege
- okalways is false and there is no install that modifies other skills or system settings. The skill does instruct reading its own frontmatter and detecting install paths for attribution headers, which is limited scope and not a persistence escalation.