Skillv1.0.0

ClawScan security

Video Editing Ai App Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 8:36 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions largely match a cloud-based video-editing service (it only asks for one service token), but there are several inconsistencies and missing provenance (unknown source, mismatched metadata, and instructions that require filesystem and network access) that warrant caution before installing.
Guidance: This skill appears to connect to an external video-processing API and only asks for one service token (NEMO_TOKEN), which is consistent with its purpose — but exercise caution because the skill's source is unknown and the SKILL.md contains a metadata mismatch (it references a config path that the registry didn't declare). Before installing: 1) Verify the service domain (mega-api-prod.nemovideo.ai) and try to find an official homepage or privacy policy; 2) Avoid setting broad or sensitive credentials as NEMO_TOKEN — use a token dedicated to this service or use the anonymous flow for test runs; 3) Test with a non-sensitive short clip first to confirm behavior and retention; 4) Ask the skill author (or the registry) to clarify the configPath discrepancy and whether tokens or session IDs are ever persisted to disk; 5) If you care about data privacy, confirm how uploaded media are stored, how long they are retained, and whether downloads are public URLs. If you cannot verify the service or provenance, do not provide private media or long-lived credentials.

Review Dimensions

Purpose & Capability: noteThe declared primary credential (NEMO_TOKEN) and the API endpoints in SKILL.md are coherent with a cloud video-editing service. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — that mismatch is an incoherence worth questioning. The skill has no unrelated credential requests (no AWS/GitHub/etc.), which is appropriate for the stated purpose.
Instruction Scope: noteInstructions are primarily API calls to mega-api-prod.nemovideo.ai (session creation, upload, SSE for editing, render polling). These are consistent with the described functionality. Points to watch: the skill instructs the agent to read the SKILL.md YAML frontmatter at runtime and detect the install path (to set X-Skill-Platform), and it references multipart uploads using local file paths. Reading its own manifest is reasonable; requiring access to user-provided files for uploads is expected. Still, the instructions give the agent discretion to generate and store/use tokens and to interact with an external domain — verify you trust that endpoint and that only user-supplied media will be uploaded.
Install Mechanism: okNo install spec and no code files (instruction-only). This is lower risk because nothing is downloaded or written to disk by an installation step. The runtime behavior still performs network calls, but there is no embedded install-time code to examine.
Credentials: noteOnly NEMO_TOKEN is declared as required, which matches the service's use. However, the SKILL.md explains an anonymous-token flow that produces a short-lived token and suggests using it as NEMO_TOKEN — consider whether you will store that token in your environment or pass it to the agent session. Also confirm the earlier mismatch where SKILL.md mentions a config path (~/.config/nemovideo/) even though registry metadata indicated no required config paths.
Persistence & Privilege: okalways:false and default autonomous invocation are set (normal). The skill does not request to be always-enabled or to modify other skills. There is no explicit instruction to persist tokens to system files, but the agent may keep session_id/token in memory for the session; clarify storage behavior if you are concerned about token lifetime or retention.