Back to skill
Skillv1.0.0
ClawScan security
Video Editing Ai Chatgpt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 5:59 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are coherent with a cloud-based AI video editing service: it asks for a single service token, uploads user video files to the named backend, and uses session-based APIs — nothing in the skill's assets suggests misdirection or unrelated access.
- Guidance
- This skill is internally consistent for a cloud-based video editor, but it will upload your raw videos and related metadata to the external service hosted at mega-api-prod.nemovideo.ai. If you install it: (1) be comfortable sending your media to that third party; (2) note the skill can obtain an anonymous NEMO_TOKEN for you (100 free credits, 7-day expiry) if none is present; (3) keep any persistent NEMO_TOKEN secret and revoke it if you stop using the service; and (4) review the service's privacy/terms before sending sensitive content. Because the skill is instruction-only, there is no bundled code to inspect — trust depends on the remote endpoint.
Review Dimensions
- Purpose & Capability
- okName/description (AI cloud video editing) match the declared requirement for a service token (NEMO_TOKEN) and a config path (~/.config/nemovideo). Required files, endpoints, and actions (upload, render, download) are appropriate for the described purpose.
- Instruction Scope
- noteThe SKILL.md instructs the agent to upload user-supplied media and interact with a remote API (create anonymous token if none, create session, send SSE, start renders, poll status). This is expected for a cloud editor but does involve transmitting user media and metadata to mega-api-prod.nemovideo.ai; the instructions do not request unrelated system files or unrelated environment variables.
- Install Mechanism
- okNo install spec and no code files (instruction-only). This minimizes local write/execution risk — the skill relies on HTTP interactions only.
- Credentials
- okOnly a single credential (NEMO_TOKEN) and an optional config path are declared. Those are proportional to a cloud editing backend. The SKILL.md's behavior (exchange for an anonymous token if missing) aligns with the declared NEMO_TOKEN requirement.
- Persistence & Privilege
- okThe skill is not configured always:true, does not request system-wide changes, and has no install-time persistence. Autonomous invocation is allowed (platform default) but not combined with other suspicious privileges.