Skillv1.0.0

ClawScan security

Video Editing Ai By Prompt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 17, 2026, 5:04 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are broadly consistent with a cloud-based video-editing service that uses a single service token, but there are a few small metadata inconsistencies and privacy considerations you should review before use.
Guidance: This skill appears to be what it says: a cloud-based video editor that requires a NEMO_TOKEN and uploads your videos to mega-api-prod.nemovideo.ai. Before installing/use: (1) Confirm you are comfortable uploading videos and any private content to that external service; check its privacy/retention policy. (2) Provide only a token scoped for this service (avoid reusing broad or long-lived credentials). (3) Verify whether the skill will read ~/.config/nemovideo/ on your machine (the frontmatter mentions it) and remove or audit that directory if it contains secrets. (4) Note the skill can generate an anonymous token itself if NEMO_TOKEN is not set (100 credits, 7-day expiry) — that is normal but means temporary tokens could be created on your behalf. (5) If you need higher assurance, ask the skill author for a privacy/data-retention statement and confirm the API host is the official Nemo Video service.
Findings: [no-findings] expected: The static scanner found no code to analyze. This is expected because the skill is instruction-only; the runtime instructions are the primary surface to inspect.

Purpose & Capability: okThe skill is a cloud video-editing-by-prompt wrapper and only asks for a single service token (NEMO_TOKEN) and an optional local config path. That aligns with needing an API token to create sessions, upload videos, and start renders.
Instruction Scope: okSKILL.md instructs the agent to obtain/use an API token, create sessions, upload user-supplied video files, stream SSE messages, and poll render status — all expected for a cloud render workflow. The instructions do not ask the agent to read unrelated files, secrets, or system state beyond detecting an install path and handling user-provided file paths/URLs.
Install Mechanism: okNo install spec or downloaded code is present (instruction-only), so nothing is written to disk by an installer. This is the lowest-risk install model for a skill.
Credentials: noteThe skill only requires one credential, NEMO_TOKEN, which is proportionate to the described cloud API. However there is an inconsistency: the registry summary lists no required config paths while the SKILL.md/YAML frontmatter includes configPaths ("~/.config/nemovideo/"). Confirm whether the skill will attempt to read that local config directory before installing.
Persistence & Privilege: okThe skill is not marked always:true and does not request system-wide privileges. It may detect an install path and read user-supplied file paths for uploads, which is expected behavior for a file-uploading skill.