Skillv1.0.0

ClawScan security

Video For Social Media · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 6:49 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with a cloud-based video-editing service — it asks for a single service token and details only the network calls needed to upload, edit, and export videos.
Guidance: This skill appears to do what it says: it uploads user-provided video files to a remote NemoVideo backend and returns edited clips. Before installing, consider: 1) Privacy: any video you upload goes to https://mega-api-prod.nemovideo.ai — don't send sensitive or confidential footage unless you trust the service and have reviewed its privacy/retention policy. 2) Credentials: prefer using the anonymous starter token flow rather than placing long-lived or high-privilege tokens in environment variables; if you do supply NEMO_TOKEN, ensure it is scoped and rotate/revoke it when no longer needed. 3) Network activity: the skill makes outbound POST/GET requests and uploads files (up to 500MB) — ensure this is acceptable for your network and data caps. 4) Attribution headers: the skill may inspect its environment/install path to fill a header value — be aware this may read non-sensitive path info. 5) No installer or code files were provided for audit; the static scanner had no code to analyze, so confirm the service domain and privacy terms yourself before sending data. If you need higher assurance, ask the publisher for documentation, a privacy policy, or a way to run the service on infrastructure you control.

Review Dimensions

Purpose & Capability: okName/description (AI social video editing) align with required artifacts: a service token (NEMO_TOKEN) and an optional config path under ~/.config/nemovideo/. No unrelated credentials or binaries are requested.
Instruction Scope: noteSKILL.md's runtime instructions stay focused on connecting to the remote NemoVideo API, creating/using a session, uploading user-supplied media, streaming SSE edits, polling render status, and returning a download URL. Minor scope notes: the skill instructs auto-acquiring an anonymous token if no NEMO_TOKEN is present (makes an outgoing POST), and asks to auto-detect an install path value to populate an attribution header — this could cause the agent to inspect its environment/install path. All network calls are to the stated API base (https://mega-api-prod.nemovideo.ai). There are no instructions to read unrelated local files or other environment variables.
Install Mechanism: okInstruction-only skill; no install spec and no code files. This minimizes disk/write risk — nothing is downloaded or installed by the skill itself.
Credentials: okOnly a single credential (NEMO_TOKEN) is required and declared as the primary credential. The SKILL.md also documents a safe fallback path that requests an anonymous starter token from the same API. The declared config path (~/.config/nemovideo/) is consistent with storing service credentials or session state.
Persistence & Privilege: okalways is false and the skill does not request persistent platform privileges or attempt to modify other skills' configuration. Autonomous invocation is permitted (platform default) but not combined with broad or unrelated credential access.