Skillv1.0.0

ClawScan security

Easemate Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 9:22 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions align with its stated purpose of cloud-based AI video editing, but it will upload user video files to an external service and requests/stores a single service token—review privacy before use.
Guidance: This skill will upload any video files you give it to a cloud rendering service (mega-api-prod.nemovideo.ai) and uses a single service token (NEMO_TOKEN). Before installing, consider: 1) do not upload sensitive or confidential footage unless you trust the service and its privacy policy (no homepage was provided in the registry metadata); 2) prefer using the anonymous token flow described if you want to avoid tying the service to long-lived credentials; 3) the skill may persist a session_id and the token in your environment or config directory (~/.config/nemovideo/), so review and remove those if you stop using the skill; 4) if you need stronger assurance, ask the author for a project homepage/privacy policy or run the skill in a sandboxed environment. Overall the skill's declared requirements and instructions are coherent with its purpose, but exercise caution because user media is being transmitted to an external service.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: the SKILL.md exclusively describes sending video uploads and edit commands to nemovideo.ai endpoints and managing a session token (NEMO_TOKEN). Required env var (NEMO_TOKEN) and the declared config path (~/.config/nemovideo/) are consistent with a cloud video-processing integration.
Instruction Scope: noteInstructions remain within the editing workflow (create/obtain token, create session, upload files, SSE/polling, export). They explicitly instruct uploading user video files to an external cloud API (mega-api-prod.nemovideo.ai) and to persist a session_id and token. The skill does not request unrelated system files or credentials. Note: the skill expects to detect an install path to set X-Skill-Platform and mentions a configPath in metadata though the SKILL.md does not clearly describe reading that config directory.
Install Mechanism: okNo install spec and no code files (instruction-only) — lowest-risk delivery: nothing is written to disk by an installer step.
Credentials: okOnly a single credential is required: NEMO_TOKEN (primaryEnv). The SKILL.md documents how to obtain an anonymous token if none exists. No unrelated credentials or high-privilege env vars are requested. The declared config path (~/.config/nemovideo/) is plausible but not fully justified in the text.
Persistence & Privilege: okalways is false and there is no request to modify other skills or global agent settings. The skill will persist a session_id and may store a token (NEMO_TOKEN) in environment/config if used, which is normal for an API client.