Skillv1.0.0

ClawScan security

Editor Cinematic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 6:49 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based video-editing service: it asks for a single service token and instructs uploading footage to that service; no unrelated credentials, installs, or mysterious behaviors are present, though there are a few small inconsistencies and privacy considerations to note.
Guidance: This skill appears to do what it says: it uploads your footage to an external service (mega-api-prod.nemovideo.ai) for cloud GPU processing and requires a single service token (NEMO_TOKEN). Before installing or using it, consider: 1) Privacy — your uploaded videos leave your device and are stored/processed by the service; avoid uploading sensitive material. 2) Token handling — prefer supplying your own token rather than relying on anonymous token generation if you need control; if you use anonymous tokens, note they expire and may be stored by the agent/session. 3) Verify the service domain and terms of service/privacy policy for how uploads are used or retained. 4) The SKILL.md references auto-detecting an install path for X-Skill-Platform and a config directory (~/.config/nemovideo/) — verify whether the agent will read filesystem paths if you are uncomfortable with that. Overall the manifest is coherent with its stated purpose, but review privacy and token management before proceeding.

Review Dimensions

Purpose & Capability: okName/description (cinematic video editing) align with the instructions: the SKILL.md documents endpoints for uploading video, editing via SSE, and exporting rendered MP4s. The only required credential is NEMO_TOKEN which is appropriate for a third-party processing API. Minor inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this is likely benign but inconsistent.
Instruction Scope: noteRuntime instructions explicitly direct the agent to accept user video and upload it to https://mega-api-prod.nemovideo.ai for cloud rendering (expected for this purpose). The skill also directs the agent to obtain an anonymous token if NEMO_TOKEN is not present and to save session_id from responses. One implementation detail to note: headers require an X-Skill-Platform populated by 'auto-detect: install path', which implies the agent may try to read its install path or similar environment information — that is outside pure editing logic and could require filesystem access. The instructions do not ask for unrelated env vars or other system files.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer step in the manifest.
Credentials: okOnly NEMO_TOKEN is declared as required (primaryEnv). That matches the documented API usage. The skill offers an anonymous-token flow to obtain a short-lived token if none is set, which is consistent with a cloud service onboarding flow. No unrelated secrets (AWS, GitHub, etc.) are requested.
Persistence & Privilege: okalways:false and no special platform privileges requested. The skill instructs saving session_id and using tokens for requests (normal for session-based APIs). It does not request modification of other skills or global agent configs.