Skillv1.0.0

ClawScan security

Video Editor Change · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 6:06 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based video-editing integration — it asks for a single service token and describes API calls that match that purpose, with no install step or unrelated credential requests — but there are small privacy/credential discovery details you should be aware of.
Guidance: This skill appears to do what it says: upload video files to a nemo-video cloud backend and return edited clips. Before using it, consider: (1) You will be uploading video/audio to https://mega-api-prod.nemovideo.ai — do not send sensitive or private footage unless you trust the service and reviewed its privacy/retention terms. (2) The agent will look for NEMO_TOKEN and may try to read a nemovideo config path or detect install paths to set attribution headers; ensure those local files do not contain other sensitive credentials you don't want accessed. (3) If you don't already have a NEMO_TOKEN, the skill will acquire an anonymous token from the service (100 free credits, 7-day expiry) — know that this creates/uses remote account state. (4) Because this is an instruction-only skill with no code to inspect, you can't audit implementation beyond the described API calls; only proceed if you trust the remote domain and the operator. If you need stronger assurances, request the skill publisher/source or run edits via a known vendor with documented privacy and audit logs.

Review Dimensions

Purpose & Capability: okName and description describe cloud video editing and the skill only requires a single NEMO_TOKEN and an optional nemovideo config path; those items are appropriate for a service that uploads and renders videos remotely.
Instruction Scope: noteSKILL.md instructs the agent to use NEMO_TOKEN (or obtain an anonymous token via the service API), create sessions, upload files, and use SSE/polling for renders — all expected. It also directs the agent to read the skill's own frontmatter for attribution and to detect install path to set X-Skill-Platform; these require probing local paths which is plausible but broadens the file-system scope slightly.
Install Mechanism: okThere is no install spec or downloaded code (instruction-only), so nothing is written to disk by an installer. This is a low-risk install profile.
Credentials: noteOnly NEMO_TOKEN is declared as required, which fits the described API usage. Metadata also lists a config path (~/.config/nemovideo/) which implies the platform may read local config files (possibly containing saved tokens); that is explainable but worth awareness because it increases the chance of discovering local credentials.
Persistence & Privilege: okSkill does not request always:true and is user-invocable only. It does not ask to modify other skills or system-wide settings; autonomy flags are default/normal.