Skillv1.0.0

ClawScan security

Ai Video Editor Kannada · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 8:05 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (cloud AI video editing with Kannada captions) aligns with its network calls and single credential, but there are small inconsistencies and privacy-relevant behaviors (anonymous token acquisition, automatic uploads to a third-party domain, and mismatched config-path metadata) that warrant caution before installing.
Guidance: This skill will upload your videos and related metadata to a third-party service at mega-api-prod.nemovideo.ai and will call the service even if you don't supply NEMO_TOKEN (it will create an anonymous token). Before installing or using it: 1) Verify you trust the nemovideo domain and understand their privacy/storage policy (do not upload sensitive or private footage unless comfortable). 2) If you must provide a long-lived NEMO_TOKEN, treat it like a secret and rotate it if compromised. 3) Ask the skill author to clarify the config-path inconsistency (SKILL.md lists ~/.config/nemovideo/ but the registry says none) — confirm whether the skill will read local config files or detect install paths. 4) If you want to avoid leaking local environment details, request removal of the behavior that derives X-Skill-Platform from local install paths. If any of these items are unacceptable, do not install or avoid uploading sensitive files.
Findings: [NO_SCAN_FINDINGS] expected: The package contains no code files and the regex-based scanner had nothing to analyze; the security surface is entirely the SKILL.md instructions.

Review Dimensions

Purpose & Capability: noteThe skill claims to edit videos and add Kannada captions and requires a single primary credential (NEMO_TOKEN) which is coherent for a cloud API. However, the SKILL.md frontmatter lists a configPaths entry (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch is an inconsistency that should be clarified (does the skill expect to read local config?).
Instruction Scope: concernThe runtime instructions direct the agent to contact a remote service (https://mega-api-prod.nemovideo.ai) for session creation, SSE chat, upload, and export. That is expected for a cloud render pipeline, but the skill also instructs the agent to generate anonymous tokens when NEMO_TOKEN is absent (i.e., it will still contact the external API and may upload user videos without a pre-provisioned token). The instructions also ask the agent to detect install path to set X-Skill-Platform headers (which can require querying local paths and leak local environment info). These behaviors are privacy-sensitive and go beyond purely local editing.
Install Mechanism: okThere is no install spec and no code files — the skill is instruction-only. This minimizes disk persistence and installation risk.
Credentials: noteOnly one environment variable (NEMO_TOKEN) is declared as required and is proportionate for a service that needs authorization. However, SKILL.md metadata includes a configPaths entry (~/.config/nemovideo/) not declared in the registry requirements — that suggests the skill might read local config files (or claims it could), which should be either removed or explicitly documented. The instruction to include attribution headers derived from install paths can reveal environment information and is a minor privacy concern.
Persistence & Privilege: okThe skill does not request permanent presence (always:false) and does not instruct modification of other skills or global agent settings. It will create ephemeral sessions/tokens with the remote API, which is expected for the described workflow.