Skillv1.0.0

ClawScan security

Video Editor Ab2n · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 2:43 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-based video editing integration that talks to nemovideo.ai — nothing requested appears disproportionate, though there are a couple of small metadata notes to check.
Guidance: This skill appears to do what it says: it will upload your video files to mega-api-prod.nemovideo.ai and use a short-lived token for rendering. Before installing, confirm you trust nemovideo.ai (privacy and retention of uploaded videos), and be aware the skill may auto-generate an anonymous token and store a session_id for the editing job. Ask the author to clarify (1) the metadata mismatch about ~/.config/nemovideo/ vs the registry's 'no config paths' claim, (2) where session_id and tokens are stored and for how long, and (3) whether any local filesystem checks are performed to detect the install path. If you have sensitive footage, test with non-sensitive clips first.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform cloud video editing and only asks for a NEMO_TOKEN credential and (in its frontmatter) a nemovideo config path — requesting NEMO_TOKEN aligns with the declared purpose. Minor inconsistency: the registry metadata reported no required config paths, but the SKILL.md frontmatter lists ~/.config/nemovideo/ as a configPath; this mismatch should be clarified but does not imply malicious intent.
Instruction Scope: noteThe SKILL.md instructs the agent to obtain or use a token, create a session, upload user media, use SSE and polling to drive edits, and poll render status — all expected for a cloud render pipeline. It also instructs deriving an X-Skill-Platform value by detecting install path (mentions ~/.clawhub/ and ~/.cursor/skills/), which implies reading/inspecting the agent's install path; this is plausible for accurate headers but should be explicit about what filesystem checks will be performed.
Install Mechanism: okNo install spec or code files are provided (instruction-only). This is the lowest-risk install surface — nothing is downloaded or written by an installer.
Credentials: okOnly a single credential (NEMO_TOKEN) is declared as required and is appropriate for a service that uses bearer tokens. The skill also documents an anonymous-token flow (POST to nemovideo.ai) if no token is present — reasonable for a consumer-facing integration. No unrelated secrets or broad credentials are requested.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It instructs storing a session_id for ongoing requests (normal for session-based APIs). Nothing in the manifest indicates modification of other skills or system-wide configuration.