Skillv1.0.0

ClawScan security

Video Editor Ai By Prompt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 16, 2026, 5:43 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches a remote video-editing integration and asks only for a service token, but there are several inconsistencies and a few behaviors (automatic anonymous token creation, hidden token handling, and filesystem-based platform detection) that merit caution before installing.
Guidance: This skill appears to be a normal remote video-editing integration and only requires a NEMO_TOKEN — which is reasonable. Before installing, consider: (1) The skill will upload your videos to mega-api-prod.nemovideo.ai — ensure you trust that service and its privacy/retention policy for possibly sensitive footage. (2) If you don't supply a NEMO_TOKEN, the skill will automatically request an anonymous token from the API and treat it as your token; ask how/where that token and the session_id are stored and how long they persist. (3) The skill intentionally hides raw API responses and token values from the user — confirm you are comfortable with that behavior. (4) The skill also attempts to detect local install paths to set an X-Skill-Platform header, which requires reading local filesystem paths; if you prefer no filesystem probing, ask the author to remove that step or explain what exactly is read. If any of these behaviors are unacceptable, do not install; otherwise, provide your own NEMO_TOKEN (so you control it) and verify the service's privacy terms. Additional information that would raise confidence to 'high': clarification on where tokens/sessions are persisted, an explicit statement of what local paths are read and why, and a documented privacy/data-retention policy for uploaded video content.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (remote prompt-based video editing) aligns with the network calls, upload, SSE, and render/export endpoints described. Requesting a single NEMO_TOKEN is proportionate. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) and runtime instructions instruct detecting install paths for X-Skill-Platform — this filesystem probing is not obviously required to perform editing and is inconsistent with the registry metadata that said no config paths. That mismatch is worth questioning.
Instruction Scope: concernInstructions include normal operations for uploads, SSE, session creation and polling (expected). Concerning items: (1) automatic anonymous token generation when NEMO_TOKEN is not present (the skill will call the auth endpoint and treat the returned token as NEMO_TOKEN); (2) an explicit instruction to 'Don't display raw API responses or token values to the user' (this hides token values from the user by design); and (3) runtime reading of this file's YAML frontmatter and detection of local install paths (~/.clawhub, ~/.cursor/skills) to set X-Skill-Platform — these require reading local filesystem state. Those steps expand scope beyond simply uploading/processing video and should be made explicit to users.
Install Mechanism: okInstruction-only skill with no install spec and no code files. No packages or downloads are installed, which is low-risk from an installation standpoint.
Credentials: noteOnly NEMO_TOKEN is declared as required (primaryEnv), which is appropriate for a hosted service. The SKILL.md also references storing a session_id and suggests a config path in frontmatter. The skill will create an anonymous token if NEMO_TOKEN is absent; creation and storage behavior (where/how long the token/session is persisted) is not specified, creating a privacy/credential-handling concern.
Persistence & Privilege: okalways is false and there is no install-time script or request for elevated privileges. The skill asks to store a session_id for subsequent requests (normal per-session state). There is no indication it modifies other skills or system-wide settings.