Skillv1.0.0

ClawScan security

Espanol Editor Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 4:48 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-based Spanish video editing service that uses a single API token (NEMO_TOKEN); a few small inconsistencies and privacy questions remain but nothing indicates malicious misdirection.
Guidance: This skill appears to be what it claims: a cloud service client that uses a NEMO_TOKEN to upload and edit Spanish videos on mega-api-prod.nemovideo.ai. Before installing or using it, consider: (1) Only provide a NEMO_TOKEN if you trust the Nemo service and its privacy/retention policy; uploaded videos will be sent to the nemo backend. (2) The SKILL.md will attempt to obtain an anonymous token automatically if you don't supply one—be aware that this still sends data to the same domain. (3) Ask the maintainer to clarify the inconsistent config path declaration (~/.config/nemovideo/) and the example language value ("en") so you know where tokens/sessions may be stored and whether UI language defaults are correct. (4) If you handle sensitive footage, confirm how long files are retained and whether you can delete them. If those answers are satisfactory, the skill's footprint is proportionate to its purpose.

Review Dimensions

Purpose & Capability: noteThe skill claims to edit Spanish videos and its instructions call a nemo-video backend (mega-api-prod.nemovideo.ai) and require a NEMO_TOKEN — this is coherent. Minor inconsistencies: the skill frontmatter references a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths; an example session creation body uses "language":"en" which is odd for a Spanish-focused editor but could be a UI-language/default parameter.
Instruction Scope: noteAll runtime instructions use the nemo API endpoints for auth, session creation, upload, SSE, and rendering which fit the described purpose. The skill instructs the agent to fetch an anonymous token if NEMO_TOKEN is absent and to include attribution headers on every request. It also tells the agent to 'keep the technical details out of the chat' (i.e., not disclose request details to users) — operationally reasonable but reduces transparency. No instructions request unrelated files/credentials or external endpoints beyond the stated API host.
Install Mechanism: okInstruction-only skill with no install spec and no code files—lowest-risk install profile. The skill relies on runtime HTTP calls only.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared as required and is the primary credential — appropriate for a cloud API client. The frontmatter also lists a config path (~/.config/nemovideo/) which may be used to store session or token data; this config path appears in SKILL.md frontmatter but the registry metadata shown earlier listed no required config paths (inconsistency to verify). No other unrelated credentials are requested.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated platform privileges. It creates and uses short-lived session tokens for API operations; nothing in the instructions attempts to modify other skills or system-wide settings.