Skillv1.0.0

ClawScan security

Video Editor Highlights · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 4:28 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a remote video-processing service: it uploads user video to a nemo video API using a NEMO_TOKEN (or an anonymous token it can fetch), but it will send your media and session metadata to an external service and the package has no homepage or source to verify the backend.
Guidance: This skill appears to be coherent for a cloud-based video highlight service, but note: it will upload your raw footage to an external nemo-video backend (mega-api-prod.nemovideo.ai). Before installing, consider: 1) privacy — don't upload sensitive or private footage unless you trust the service; 2) tokens — if you set NEMO_TOKEN, treat it like a credential; if you don't set one the skill will fetch an anonymous token for you (100 free credits, 7-day expiry); 3) provenance — there is no homepage or source listed (owner ID only), which reduces your ability to audit the backend; 4) config path claim (~/.config/nemovideo/) is present in metadata though not used in instructions — verify why it’s needed. If you proceed, test with non-sensitive sample videos, and avoid placing other secrets in environment variables the skill can read.

Review Dimensions

Purpose & Capability: okName/description (automatic highlight extraction and export) align with the declared single credential (NEMO_TOKEN) and the SKILL.md which describes calls to a video-processing backend. Requesting a single API token is proportionate for a cloud render service.
Instruction Scope: noteInstructions are focused on uploading video, creating sessions, streaming SSE, and triggering renders on mega-api-prod.nemovideo.ai. They explicitly tell the agent to check for NEMO_TOKEN and, if absent, obtain an anonymous token from the service. No instructions request unrelated local files, but the skill specifies detecting install path and adding attribution headers, which implies reading environment/paths to determine platform.
Install Mechanism: okNo install spec and no code files (instruction-only) — lowest-risk install footprint. Nothing is downloaded or written to disk by an installer.
Credentials: noteOnly NEMO_TOKEN is declared as required and is used as the Bearer token for API calls — reasonable for a remote service. The SKILL.md also describes generating an anonymous token if none is present. Metadata lists a config path (~/.config/nemovideo/) which isn't referenced in runtime steps; that extra config-path claim is slightly disproportionate and worth verifying.
Persistence & Privilege: okalways:false and default autonomous invocation are used. The skill does not request permanent system-wide privileges or attempt to modify other skills. No install-time persistence is requested.