Skillv1.0.0

ClawScan security

Ai Video Editor In Chennai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 24, 2026, 6:28 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested credential and behavior are coherent with a cloud-based AI video editing service: it needs a NEMO_TOKEN, uploads local videos to nemovideo.ai, and manages sessions — nothing obviously unrelated or deceptive was found, but the source is unknown so exercise caution.
Guidance: This skill appears internally consistent for a cloud-based video editor, but it will contact an external domain (mega-api-prod.nemovideo.ai), may generate and store anonymous tokens, and will upload your local video files to that service. Before installing: (1) verify you trust nemovideo.ai (check a homepage/privacy policy or vendor identity — none was provided in the skill metadata), (2) avoid uploading sensitive or private footage unless you confirm retention and sharing policies, (3) consider pre-setting your own NEMO_TOKEN instead of allowing anonymous token generation so you control credentials, (4) be aware the agent may run autonomously and upload files without extra prompts — disable autonomous invocation if you want manual control, and (5) inspect any local config (~/.config/nemovideo/) the skill might write to and remove tokens when done. If you want higher assurance, ask the publisher for a homepage, privacy policy, and an official SDK or release URL.

Purpose & Capability: okName/description, required env var (NEMO_TOKEN), and config path (~/.config/nemovideo/) all match a cloud video-processing backend. No unrelated binaries, credentials, or services are requested.
Instruction Scope: noteInstructions are focused on authenticating, creating a session, uploading video files, handling SSE streams, and polling renders — all consistent with an editor service. Note: the skill instructs generating an anonymous token by calling an external API and to store session_id/token for subsequent calls. It also infers an install path to set an X-Skill-Platform header (may cause the agent to inspect common install paths). These are reasonable for the stated purpose but mean the agent will contact an external host and upload user files.
Install Mechanism: okInstruction-only skill with no install spec or code to write to disk. Lowest install risk.
Credentials: okOnly one credential (NEMO_TOKEN) is required and declared as primary; the declared config path aligns with the backend. No unrelated secrets or many environment variables requested.
Persistence & Privilege: notealways:false (normal). The skill permits autonomous model invocation (default), which is expected for skills that call a backend. Combined with network uploads and token use, autonomous invocation increases blast radius — users should be aware the agent can upload files and contact nemovideo.ai without interactive confirmation if invoked autonomously.