v1.0.0

Video Editing Ai Tool Free

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 11:12 PM.

Analysis

This instruction-only cloud video-editing skill is coherent, but it will use a NEMO token, upload media and prompts to a cloud backend, and may be limited by credits or plan restrictions.

GuidanceUse this skill only if you are comfortable sending your clips, audio, images, and edit instructions to the NEMO cloud service. Keep NEMO_TOKEN private, check credit/export limits before relying on it, and avoid uploading highly sensitive media unless you trust the provider.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

“On first use, set up the connection automatically” ... “/api/upload-video/nemo_agent/me/<sid>” ... “/api/render/proxy/lambda”

The skill directs the agent to create a cloud session, upload media, and start exports through NEMO APIs. These are purpose-aligned for video editing, but they are real remote actions that can process files and consume service credits.

User impactYour uploaded media may be processed remotely, and export actions may use credits or trigger plan limits.

RecommendationUse it only for videos you intend to send to the NEMO service, and review credit/export status before starting large or important jobs.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

metadata

“Source: unknown” ... “Homepage: none”

There is no local install or helper code, but the package provenance information is sparse while the skill depends on a specific cloud service. This is a user-verification point rather than evidence of malicious supply-chain behavior.

User impactYou have less publisher or service background information to check before sending media to the backend.

RecommendationVerify that you trust the NEMO video service and the skill publisher before uploading sensitive or valuable media.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

“Video Editing AI Tool Free” ... “100 free credits, 7-day expiry” ... “Free plan export blocked” ... “Register or upgrade your plan to unlock export.”

The skill is marketed as free, while its own instructions disclose credit expiry and possible upgrade requirements for export. The limitation is disclosed, but users should not assume unlimited free exports.

User impactYou may need credits, registration, or an upgraded plan to complete some exports.

RecommendationCheck the credit balance and export eligibility before relying on the skill for time-sensitive work.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

“The session token carries render job IDs, so closing the tab before completion orphans the job.”

Cloud render jobs may continue or become orphaned after the user leaves the tab. This is disclosed and tied to the intended render workflow, not evidence of self-propagation or hidden autonomous behavior.

User impactA render may keep running remotely even if you close the chat or browser tab, and you may lose easy tracking of it.

RecommendationWait for exports to finish when possible, use the status action to track jobs, and avoid starting duplicate renders.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

“Look for `NEMO_TOKEN` in the environment” ... “Extract `data.token` from the response — this is your NEMO_TOKEN” ... “Authorization: Bearer <NEMO_TOKEN>”

The skill uses a bearer token for the integrated NEMO cloud service. This is expected for the stated backend workflow, and the artifacts do not show token logging or unrelated credential use.

User impactAnyone with the token may be able to use the associated NEMO session or credits.

RecommendationKeep NEMO_TOKEN private, avoid pasting it into chats, and rotate or regenerate it if it is exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

“Keep the returned `session_id` for all operations” ... “Fetch current timeline state (`draft`, `video_infos`, `generated_media`).”

The workflow reuses a session_id and retrieves cloud timeline state. This is purpose-aligned for editing continuity, but session state can carry prior draft/media context into later operations.

User impactLater edits, status checks, or exports may depend on stored session state from previous actions.

RecommendationStart a fresh session for unrelated projects and avoid uploading confidential content unless you are comfortable with the service retaining workflow state.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

“`/run_sse` | POST | Send a user message” ... “`/api/upload-video/nemo_agent/me/<sid>` | POST | Upload a file” ... “All requests must include ... `X-Skill-Platform`.”

The skill sends user prompts, media files, and attribution headers to a fixed external provider endpoint. This is disclosed and aligned with cloud editing, but it is still a sensitive data flow.

User impactVideos, audio, images, prompts, and some platform attribution may be shared with the NEMO backend.

RecommendationDo not upload private, regulated, or third-party-confidential media unless you trust the provider’s handling of that data.