Skillv1.0.0

ClawScan security

Video Maker Free Windows · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 3:14 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (cloud video editing) matches most of its instructions, but there are inconsistencies and a few scope-creep items (filesystem/header probing and mismatched metadata) that warrant caution before installing.
Guidance: This skill uploads your videos and metadata to a third-party backend (mega-api-prod.nemovideo.ai) for processing — that's expected for a cloud render service but you should confirm you’re comfortable with that. Specific things to consider before installing: 1) The SKILL.md asks the agent to probe paths in your home directory to set an X-Skill-Platform header and references ~/.config/nemovideo/ (the registry lists no config paths) — this filesystem probing could reveal environment details and seems unnecessary for simple editing. 2) The skill will either use NEMO_TOKEN from your environment or obtain an anonymous token by calling the service; understand what account, retention, and privacy rules apply to uploaded media. 3) Confirm the backend domain is legitimate and review its privacy/terms (where do uploaded videos go, how long are they stored, who can access them?). 4) If you keep a NEMO_TOKEN in your environment, ensure it is scoped and revocable. If you want, ask the publisher for clarification about the configPath usage, what headers are sent, and whether uploads are encrypted and deleted after processing. Proceed only if you’re okay with remote processing and the potential privacy implications.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform cloud-based video editing and all runtime instructions call a nemovideo cloud API for upload, session creation, SSE streaming, and render — this is coherent with the description. However, the skill metadata in SKILL.md declares a config path (~/.config/nemovideo/) while the registry metadata says 'Required config paths: none' — that mismatch is unexplained.
Instruction Scope: concernInstructions require uploading user media to an external backend and instruct the agent to include attribution headers on every request. They also direct detection of the agent's install path (~/.clawhub/, ~/.cursor/skills/) to set an X-Skill-Platform header and reference a local config path (~/.config/nemovideo/). Reading those paths is outside pure video-processing logic and could leak environment information. There's no explicit step to prompt for informed consent before sending user files/tokens to the remote service.
Install Mechanism: okNo install spec or code files are present (instruction-only), so nothing will be written to disk by an installer. This is lower risk.
Credentials: concernThe skill declares a single required env var (NEMO_TOKEN), which fits a cloud service. But SKILL.md also describes generating an anonymous token if NEMO_TOKEN is absent and references a local config directory for nemo — the registry reported no config paths while the SKILL.md metadata includes one. The additional filesystem checks and header attribution are not obviously necessary to basic video editing and expand the data the skill will read/emit.
Persistence & Privilege: okThe skill is not always-enabled and has no install-time persistence. It can be invoked autonomously (platform default), which by itself is expected; no evidence it modifies other skills or system-wide settings.