Skillv1.0.0

ClawScan security

Video Ai Editor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 4:36 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions mostly match a remote video-editing service, but missing provenance (no homepage/source), a declared config path that isn't explained, and the requirement to provide a bearer token for a third-party API are reasons to be cautious before uploading material or supplying credentials.
Guidance: This skill appears to do what it says (upload your video to a remote API and get edited output), but proceed with caution: 1) The skill will send your uploaded media to https://mega-api-prod.nemovideo.ai — do not upload sensitive content unless you trust that domain and its privacy/security posture. 2) If you provide a personal NEMO_TOKEN, you are giving that service account-level access (credits/billing) — prefer the anonymous token flow if you want limited exposure. 3) Metadata references a local config path (~/.config/nemovideo/) — ask the author whether the agent will read that path; if so, it could access tokens saved there. 4) There is no homepage or reputable source listed — verify the service's authenticity and privacy policy before using. Recommended next steps before installing/using: confirm the official domain and ownership, ask what data retention and access controls they use, request clarification on the config path usage, and avoid uploading private or regulated content until you get satisfactory answers.

Review Dimensions

Purpose & Capability: okName, description, and runtime instructions all describe a remote video-editing service. The single required credential (NEMO_TOKEN) and the listed API endpoints align with that purpose — requesting an API token is expected for a cloud render service.
Instruction Scope: noteSKILL.md instructs the agent to obtain or use a NEMO_TOKEN, create sessions, upload files, stream SSE events, and poll render status — all within the stated purpose. Minor oddities: metadata declares a config path (~/.config/nemovideo/) but the instructions do not describe reading it; instructions also require an X-Skill-Platform value 'auto-detect: from install path' which could encourage the agent to inspect its install location. No instructions ask the agent to read unrelated files or credentials.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written to disk by an installer in the provided material.
Credentials: noteOnly NEMO_TOKEN is required as the primary credential, which is proportionate for a cloud API. However, metadata also lists a config path (~/.config/nemovideo/) that could contain credentials; SKILL.md does not explain whether or when that path will be read. Supplying a personal NEMO_TOKEN gives the remote service access to your account/credits and potentially billing actions.
Persistence & Privilege: okalways is false, the skill is user-invocable and can be invoked autonomously (platform default). The skill does not request permission to modify other skills or system configs. No persistent installation footprint is declared.