Skillv1.0.0

ClawScan security

Video Editing With Clipchamp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 4:18 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to be 'Clipchamp' branded but actually routes all work to nemo/nemovideo endpoints and contains small metadata/instruction inconsistencies; it will upload user videos and create/use tokens for an external service — review before installing.
Guidance: This skill will upload your videos and create/use a NEMO_TOKEN tied to the nemovideo.ai backend — despite the 'Clipchamp' name. Before installing: (1) confirm you are comfortable sending your media to mega-api-prod.nemovideo.ai and review that service's privacy/retention policy; (2) verify the Clipchamp branding is legitimate (it may be a mislabel or copy/paste error); (3) decide whether you want the skill to auto-generate/store an anonymous token (it issues a 7-day token if none is present); (4) be aware the skill may inspect common install/config paths to set headers — if you don't want it to read those paths, don't install. If anything looks off, ask the publisher for clarification or prefer an officially branded integration.

Review Dimensions

Purpose & Capability: concernThe skill name/description advertise 'Clipchamp' but every API endpoint and the runtime instructions point to mega-api-prod.nemovideo.ai (Nemo). This branding mismatch could be accidental or misleading. Metadata in the SKILL.md also lists a config path (~/.config/nemovideo/) even though the registry summary reported no required config paths — an inconsistency.
Instruction Scope: concernRuntime instructions ask the agent to check/set NEMO_TOKEN, generate an anonymous token via POST, create and store a session_id, upload user media, poll job status, and include custom attribution headers. The instructions also tell the agent to detect install path (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform — this requires inspecting filesystem paths. Uploading user videos and storing session tokens is expected for a cloud editor, but the combination of branding mismatch and filesystem checks is outside a purely UI-level helper and deserves scrutiny.
Install Mechanism: okNo install spec and no code files — instruction-only. That minimizes disk-level risk because nothing is downloaded or extracted by the skill itself.
Credentials: noteThe skill only declares a single credential (NEMO_TOKEN) as primary, which matches the documented API usage. However, the SKILL.md's metadata references a config path (~/.config/nemovideo/) not reflected in the registry summary, and instructions implicitly require the agent be allowed to read certain install paths to populate X-Skill-Platform. Consider whether you are comfortable with the agent accessing those paths and with a single-token model for uploads.
Persistence & Privilege: okalways is false and the skill does not request system-wide or cross-skill configuration changes. It will create/use an ephemeral anonymous token if none is present; that behavior is described in the instructions.