Skillv1.0.0

ClawScan security

Instagram Video Editor Ai Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 6:42 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are largely coherent with an AI video-rendering frontend that talks to a cloud backend, but there are small metadata inconsistencies and privacy considerations you should review before use.
Guidance: This skill is coherent with a cloud-based video editor, but before installing consider: (1) Uploaded videos will be sent to mega-api-prod.nemovideo.ai — do not upload sensitive or private footage unless you trust the service and its privacy terms. (2) You can provide your own NEMO_TOKEN or the skill can obtain an anonymous token automatically; providing your own token gives you more control. (3) There is a metadata mismatch: SKILL.md mentions ~/.config/nemovideo/ while the registry metadata did not list required config paths — ask the publisher which is correct. (4) The skill's source and homepage are unknown; verify the backend domain and operator reputation if possible. If you need stronger guarantees about data handling or provenance, prefer a skill with a documented homepage and known publisher before use.

Review Dimensions

Purpose & Capability: okThe skill claims to perform cloud video editing and only requests a single service token (NEMO_TOKEN) and API calls to a video-render backend (mega-api-prod.nemovideo.ai), which is proportionate to its stated purpose.
Instruction Scope: noteRuntime instructions stay within the editing/export domain: create/keep a session, upload files, use SSE for edits, poll render status, and return download URLs. They explicitly upload user video files to the remote backend, so the agent will transmit user media off-device — expected for a cloud editor but important to note. The SKILL.md also instructs auto-provisioning of an anonymous token if no NEMO_TOKEN is present, which is reasonable but broadens where credentials may originate.
Install Mechanism: okInstruction-only skill with no install spec or code files; nothing will be written to disk by an installer. This is the lowest-risk install pattern.
Credentials: noteOnly one credential is required (NEMO_TOKEN), which matches the backend calls in the instructions. However, the SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata summary provided earlier said no required config paths — this mismatch is an inconsistency to clarify. The skill will also generate or fetch an anonymous token if NEMO_TOKEN is not provided, which is expected but means the agent may call the auth endpoint to obtain credentials automatically.
Persistence & Privilege: okalways is false and the skill does not request persistent agent-wide privileges. It instructs maintaining a session_id in memory for operations, which is normal for a session-based service.