Back to skill
Skillv1.0.0
ClawScan security
Video Editing With Ai Voice · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 16, 2026, 4:46 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions generally match a remote video-editing-with-AI-voice service and its single credential (NEMO_TOKEN) is plausible, but there are provenance gaps and small internal inconsistencies you should verify before using it.
- Guidance
- This skill appears to implement remote AI video editing and reasonably needs an API token (NEMO_TOKEN). Before installing or using it: 1) Confirm the service domain (mega-api-prod.nemovideo.ai) and the developer's identity or homepage — there is no source/repo or homepage listed. 2) If you must provide a NEMO_TOKEN, prefer a scoped or short-lived token (or use the anonymous-token flow) rather than putting a long-lived credential into your environment. 3) Understand that you will be uploading potentially sensitive media to a third-party server — ask the provider about retention, access controls, and privacy. 4) Clarify the config path discrepancy (~/.config/nemovideo/) reported in the SKILL.md frontmatter versus registry metadata. 5) If you need stronger assurance, request the skill's source code or an official homepage and audit the API endpoints, or test with non-sensitive sample media and a throwaway token first.
Review Dimensions
- Purpose & Capability
- noteThe name, description, and SKILL.md all describe remote AI video editing and voice-replacement and the required NEMO_TOKEN is consistent with a service API. However, SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths; the package has no homepage or source repository, and the owner is an opaque ID — a provenance gap worth flagging.
- Instruction Scope
- noteRuntime instructions are explicit and scoped to the described service: check NEMO_TOKEN, optionally obtain an anonymous token from the provider, create a session, upload video files, stream SSE for edits, and request renders from mega-api-prod.nemovideo.ai. The instructions do not direct the agent to read unrelated local files or other credentials. They do require generating and sending a UUID as X-Client-Id and mandating custom attribution headers on every request — unusual but understandable for telemetry/tracking. No broad data-collection beyond uploading user media is requested, but users should be aware their media will be sent to the provider's servers.
- Install Mechanism
- okNo install spec or code files are present (instruction-only). This minimizes filesystem risk because nothing is downloaded or executed locally by the skill itself.
- Credentials
- noteThe skill requests a single environment credential (NEMO_TOKEN), which is proportionate for a remote API. The SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) that suggests possible additional local config access — this conflicts with the registry's 'no config paths' claim and should be clarified. No other unrelated secrets are requested.
- Persistence & Privilege
- okThe skill does not request always:true and does not ask for elevated platform privileges. It is user-invocable and can be called autonomously per platform defaults; nothing in the manifest indicates it will modify other skills or agent-wide settings.