Skillv1.0.0

ClawScan security

Video Easemate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 6:14 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions align with a cloud video-editing service: it asks for one service token, calls a remote API to upload/process videos, and has no install steps — the only minor inconsistency is a metadata/config-path mention that isn't reflected elsewhere.
Guidance: This skill is coherent for a cloud video-editing service, but consider the following before installing: (1) uploads and media will be sent to https://mega-api-prod.nemovideo.ai — do not upload sensitive or private footage unless you trust the service and reviewed its privacy policy; (2) if no NEMO_TOKEN is present the skill will automatically create an anonymous token by contacting the service — you may want explicit consent before auto-creating/storing tokens; (3) the frontmatter mentions a config path (~/.config/nemovideo/) even though registry metadata doesn't — ask the author to clarify whether the skill will read or write that path; (4) the skill owner and homepage are unknown — verify the vendor identity and service terms (storage, retention, sharing, billing) before use; (5) confirm how long uploads and generated outputs are retained and whether processing may incur charges once free credits expire.

Review Dimensions

Purpose & Capability: okName/description (cloud video editing) match the declared requirement for a single service token (NEMO_TOKEN) and the SKILL.md's API endpoints for uploads, SSE, and rendering. Required binaries and complex installs are not requested, which is appropriate for a cloud-only editor.
Instruction Scope: noteInstructions are narrowly scoped to: check/generate NEMO_TOKEN, create a session, upload files, stream SSE, poll render status, and return download URLs. They do not instruct reading unrelated system credentials or arbitrary files. Minor note: the skill will inspect install paths (e.g., ~/.clawhub/ or ~/.cursor/skills/) to set an attribution header; this is limited but worth noting as filesystem probing.
Install Mechanism: okNo install spec and no code files — instruction-only. This is the lowest-risk install model; nothing is written to disk or downloaded by the skill itself.
Credentials: noteOnly NEMO_TOKEN is required (declared as primaryEnv) which is proportional for an API-backed editor. Two points to note: (1) SKILL.md describes automatically obtaining an anonymous NEMO_TOKEN if none is present (by POSTing to the nemovideo auth endpoint) — that will cause the agent to contact an external service and receive a token; (2) the YAML frontmatter metadata references a config path (~/.config/nemovideo/) even though the registry metadata lists no required config paths — this discrepancy should be clarified.
Persistence & Privilege: okalways:false and no instructions to modify other skills or global agent settings. Sessions and tokens are used transiently for API calls; the skill does not request permanent platform-wide privileges.