Skillv1.0.0

ClawScan security

Video Editing Ai Free Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 7:50 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are largely consistent with a cloud-based AI video-editing integration, but there are minor documentation inconsistencies and normal privacy/network considerations you should review before use.
Guidance: This skill appears to do what it says: it uploads your video to a third‑party cloud service (mega-api-prod.nemovideo.ai), runs editing/rendering, and returns a download URL. Before installing or using it: 1) Confirm you trust the service and understand its privacy/retention policy — your raw footage will be transmitted off-device. 2) Prefer using an anonymous token for one-off use (SKILL.md supports generating a short-lived anonymous token) instead of a long-lived personal NEMO_TOKEN. 3) Ask the author to clarify the config path (~/.config/nemovideo/) discrepancy and where session_id/NEMO_TOKEN are stored so you know what local files may be read or written. 4) Verify billing/credit behavior (the docs mention credits, 402/2001 codes, and subscription tiers) so you aren’t surprised by blocked exports or account charges. If you need higher assurance, request the skill author provide a privacy/dataflow statement and confirm they won’t read unrelated local files or persist long-lived credentials.

Review Dimensions

Purpose & Capability: noteThe name/description (AI video editing) align with the actions in SKILL.md (upload footage, create session, render/export). The single required env var NEMO_TOKEN and the referenced API base (mega-api-prod.nemovideo.ai) are coherent for a cloud service. Minor inconsistency: the registry metadata at the top reported no required config paths, but the SKILL.md frontmatter's openclaw.metadata.requires includes a configPaths entry (~/.config/nemovideo/). That suggests either the manifest or the registry metadata is out of sync; asking the author to confirm whether the agent will read that config directory is recommended.
Instruction Scope: noteInstructions are explicit and scoped to the editing workflow (auth, create session, SSE conversation, upload, render, poll for output). They instruct generating an anonymous token if no NEMO_TOKEN exists and saving session_id. The file upload endpoints expect a file path or URL; the skill will transmit user media to the external service. The SKILL.md also directs including attribution headers and auto-detecting platform from install path — this implies the agent may inspect its install path. These behaviors are expected for this kind of skill but are worth being explicit about (where session IDs/tokens are stored and whether the agent will read ~/.config or install paths).
Install Mechanism: okNo install spec or external code is downloaded; this is instruction-only and will only make network calls. That minimizes disk-write risk.
Credentials: okThe skill declares a single credential (NEMO_TOKEN) as its primary credential, which matches the API-based workflow. There are no apparent unrelated secret requests. The only minor concern is the conflicting metadata about a config path (~/.config/nemovideo/) which could imply reading local config files; the SKILL.md should explicitly state whether it will read/write that path.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It instructs saving session_id (expected for session-based APIs) but does not request modification of other skills or global agent settings. Autonomous invocation is allowed (default) which is normal; nothing else indicates elevated persistence.