Back to skill
Skillv1.0.0
ClawScan security
Videomaker Freelance · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 6:35 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are broadly consistent with a remote AI video-editing service, but there are a few metadata inconsistencies and privacy considerations you should review before installing.
- Guidance
- This skill appears to do what it says: it uploads your raw video to a remote GPU-backed editing service and returns a rendered MP4. Before installing, confirm you trust the external domain (mega-api-prod.nemovideo.ai) because your videos (and any audio/content inside them) will be transmitted and processed off-device. Ask the publisher for a homepage/privacy policy and clarify the config-path discrepancy (~/.config/nemovideo/ present in SKILL.md but not in registry metadata). Be cautious about including sensitive personal or proprietary content in uploads. If you need stronger privacy, request on-device editing or an explicit data-retention policy from the service.
Review Dimensions
- Purpose & Capability
- noteThe skill declares NEMO_TOKEN and remote API endpoints for uploading, editing, and rendering videos — these are consistent with a cloud video-editing service. However the SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this discrepancy is unexplained and should be clarified.
- Instruction Scope
- okThe SKILL.md instructs the agent to create or use an API token, open a session, upload user video files, stream SSE edits, poll render status, and return a download URL — all actions expected for remote video processing. It does require sending potentially large and private user media to third-party servers (mega-api-prod.nemovideo.ai). The doc explicitly warns not to print tokens/raw JSON, which is good practice.
- Install Mechanism
- okNo install spec or code files are present; this is instruction-only, so nothing will be written/installed by an installer. Low install risk.
- Credentials
- okOnly a single credential (NEMO_TOKEN) is required and is the declared primary credential — this matches the service-oriented purpose. The skill also instructs how to obtain a short-lived anonymous token via the service, which is consistent with usage. No unrelated credentials or system secrets are requested.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills, and only asks to store session tokens and IDs for the editing session (expected). It warns that jobs may be orphaned if the UI closes — normal for server-side rendering.