Skillv1.0.0

ClawScan security

Video Editor Youtube · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 10:36 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match a cloud-based video-editing service (uploads user videos and uses a NEMO_TOKEN), but there are inconsistencies and missing provenance (no source/homepage, differing frontmatter vs registry metadata) that warrant caution before installing or providing sensitive files.
Guidance: This skill appears to be a cloud-based video editor that uploads your footage to an external API (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN. Before installing or using it: 1) Verify the service/provider (there's no homepage or source repo listed). 2) Don't upload sensitive or private footage until you confirm retention/privacy rules. 3) Prefer using anonymous tokens (the SKILL.md documents a 7-day anonymous token flow) over giving a long-lived token. 4) Ask the publisher to clarify the conflicting metadata (the SKILL.md frontmatter references ~/.config/nemovideo/ but the registry metadata does not) and where the skill stores session_id/tokens. 5) If you must provide a persistent NEMO_TOKEN, isolate it (use a dedicated account) and monitor credit/usage. The inconsistencies and lack of provenance are why I rate this suspicious rather than benign.

Review Dimensions

Purpose & Capability: noteThe name/description (cloud AI video editing) align with the runtime instructions (POST uploads, render/export endpoints). Requesting a NEMO_TOKEN as the primary credential is coherent for a cloud API. HOWEVER the SKILL.md frontmatter lists a configPaths entry (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch is unexplained. The skill also lacks a homepage or source repo which reduces trust.
Instruction Scope: noteInstructions direct the agent to create sessions, upload user-provided files (multipart uploads or URL), post messages via SSE, poll render status, and return download URLs — all expected for a cloud editor. They also instruct generating an anonymous token if none exists. Minor scope concerns: the doc asks to 'auto-detect' X-Skill-Platform from an install path and to 'save session_id' without specifying storage location; both give the agent discretion about reading its environment or filesystem (potentially ambiguous). The skill explicitly sends user files and metadata to an external domain (mega-api-prod.nemovideo.ai).
Install Mechanism: okThis is instruction-only with no install spec and no code files, so nothing is written to disk by the skill itself. That is the lowest install risk.
Credentials: noteOnly one credential is declared (NEMO_TOKEN) which is proportionate to a cloud API. However, the SKILL.md frontmatter references a config path (~/.config/nemovideo/) not listed in the registry metadata; it's unclear whether the agent will try to read that local config directory. No other unrelated credentials are requested.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request permanent platform-wide presence. Instructions to 'save session_id' are normal for session-based APIs but do not imply altering other skills or global agent config.