Skillv1.0.0

ClawScan security

Ai Daily Review Editor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 8:37 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions match its stated purpose (cloud video editing) and request only a single service token; nothing obvious is asking for unrelated system access or extra credentials.
Guidance: This skill appears coherent for a cloud-based video editor: it uploads video files to mega-api-prod.nemovideo.ai and needs a NEMO_TOKEN (or will request an anonymous token). Before installing or using it, consider: 1) Privacy: your videos will be uploaded to an external service — avoid sending sensitive personal or proprietary footage. 2) Token scope: store NEMO_TOKEN only for this skill or use the anonymous token flow; don't reuse a high-privilege token from other services. 3) Verify the service/domain and its privacy/retention policy if you care about data life-cycle. 4) Note the small metadata inconsistency (SKILL.md references a local config path that the registry did not list) and the header behavior that detects an install path — confirm you’re comfortable with the agent environment reading those locations. If you need stronger assurance, ask the skill author for a privacy policy or for a way to use short-lived anonymous tokens only.

Review Dimensions

Purpose & Capability: okName/description describe cloud video editing. The skill requires a NEMO_TOKEN (primary credential) and references a nemovideo config path in its own YAML metadata — both are consistent with using an external nemo video processing API. No unrelated credentials or binaries are requested.
Instruction Scope: noteSKILL.md instructs the agent to acquire/use a NEMO_TOKEN (or obtain an anonymous token via the provided API), create a session, upload video files, stream edits via SSE, poll render status, and return a download URL. These actions are appropriate for a cloud-based editor. Minor scope notes: the doc says X-Skill-Platform is detected from an install path (e.g., ~/.clawhub/) which implies the agent may check its install location — the skill doesn't explicitly instruct reading unrelated system files, but this header-detection behavior is unusual and should be accepted only if you trust the agent environment.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This is the lowest-risk install pattern — nothing is downloaded or written by an installer.
Credentials: okOnly a single environment credential (NEMO_TOKEN) is required and is the service token needed to call the external API. The SKILL.md also documents how to request an anonymous token if none is present. No unrelated secrets, keys, or passwords are requested. One minor inconsistency: registry metadata shows no required config paths, but the SKILL.md YAML frontmatter lists ~/.config/nemovideo/ — this is plausibly benign (optional local config) but worth double-checking.
Persistence & Privilege: okThe skill is not marked always:true and does not request system-wide changes or modifications to other skills. It asks to save session_id for its own session management, which is expected for a remote-render workflow.