Skillv1.0.0

ClawScan security

Ai Video Editor For Marketing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 6:31 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud video-editing service: it only asks for a service token and describes API calls to that service, with no install steps or unrelated credential requests — but the service domain and owner are unknown so exercise normal caution before uploading sensitive footage.
Guidance: This skill appears to be what it claims: a cloud-based AI video editor that needs a NEMO_TOKEN to call its API. Before installing/using: 1) Verify you trust the service domain (mega-api-prod.nemovideo.ai) and the skill owner because uploaded videos will be transmitted to that API. 2) Avoid uploading sensitive or confidential footage unless you understand the service's privacy/retention policy. 3) If you don't have a paid token, the skill will request an anonymous token automatically — prefer using temporary/anonymous tokens if you want to limit long-term access. 4) Note the SKILL.md shows multipart uploads using local file paths; confirm how your agent provides files (chat upload vs. local filesystem) to avoid unintended local file reads. If you need higher assurance, ask the publisher for a homepage/privacy statement or a known service identity before proceeding.

Review Dimensions

Purpose & Capability: okName/description (cloud AI video editing) match the declared env var (NEMO_TOKEN) and the SKILL.md API endpoints for uploading, rendering, and exporting videos. Requesting a service token is expected for a hosted editing service.
Instruction Scope: noteInstructions stick to session creation, upload, SSE messaging, polling render status, and download — all consistent with a remote render pipeline. Minor scope mismatch: metadata lists a config path (~/.config/nemovideo/) but the runtime instructions do not require reading it. The docs also show multipart uploads using local file paths (e.g., -F "files=@/path"), which assumes the agent can access a local path; in practice user-supplied chat file uploads or URLs would be used. This could cause an agent implementation to attempt filesystem access if not implemented carefully.
Install Mechanism: okInstruction-only skill with no install steps and no code files — lowest installation risk.
Credentials: okOnly a single credential (NEMO_TOKEN) is required, which is proportionate for a hosted API. The SKILL.md includes a fallback to request an anonymous token from the service if no env var is present — this is consistent with expected behavior and does not require unrelated secrets.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and has no install-time persistence; autonomous invocation is allowed by default but is not combined with other broad privileges here.