Skillv1.0.0

ClawScan security

Trim Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 15, 2026, 4:50 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud video-trimming service: it only asks for a single service token and describes API calls for uploads, session management, and rendering.
Guidance: This skill appears to do what it claims: it uploads video files to a remote nemovideo API and returns trimmed exports. Before installing: (1) confirm you are comfortable uploading videos to https://mega-api-prod.nemovideo.ai and review that service's privacy/retention policy (avoid uploading sensitive footage). (2) Provide a NEMO_TOKEN only if you trust the service; otherwise let the skill generate an anonymous token as described (short-lived). (3) Note the minor mismatch about a config path (~/.config/nemovideo/) — the agent may check that directory if present. (4) The skill will include required attribution headers on requests; ensure that exposing these headers (and the NEMO_TOKEN) to that domain is acceptable. If you need higher assurance, ask the publisher for a homepage or code repo and for clarity on how session_id and tokens are stored/rotated.

Purpose & Capability: okName/description (trim and export video clips) align with required credential (NEMO_TOKEN) and the API endpoints described; no unrelated credentials or binaries are requested.
Instruction Scope: noteInstructions stay focused on uploading videos, creating sessions, streaming edits, and starting renders. Minor ambiguity: it instructs to "save session_id" but doesn't specify secure storage location. It also asks the agent to auto-detect an install path for X-Skill-Platform (which may require reading agent/install paths), but otherwise does not instruct reading unrelated user files or secrets.
Install Mechanism: okNo install spec or third-party downloads — this is instruction-only, so nothing is written to disk by an installer.
Credentials: noteOnly NEMO_TOKEN is required (declared as primaryEnv), which matches the service integration. One inconsistency: the SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) while the registry metadata listed earlier said no required config paths — this could mean the agent may check that path if present. No unrelated secrets are requested.
Persistence & Privilege: okalways is false and there's no instruction to modify other skills or system-wide settings. The skill asks to retain a session_id for the session but doesn't request persistent, elevated privileges.