Skillv1.0.0

ClawScan security

Video Trimmer Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 8:35 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are generally consistent with a cloud-based video trimming service, with only minor documentation inconsistencies and a few behavior points you should confirm before installing.
Guidance: This skill appears to do what it says: it uploads your videos to a nemovideo.ai backend for trimming and returns download URLs. Before installing, confirm you trust the mega-api-prod.nemovideo.ai domain and are comfortable with video files being uploaded to that third party. Note the skill will try to detect an install path (it may read certain local paths) and can automatically fetch an anonymous NEMO_TOKEN if you don't provide one — anonymous tokens grant limited, short-lived access (described as 7 days / 100 credits). If you prefer, provide your own NEMO_TOKEN with limited scope or use the anonymous token flow only for non-sensitive clips. Also ask the skill author to clarify the tiny metadata mismatch (configPaths declared in SKILL.md but not in registry metadata) and to confirm exactly which local paths the skill will inspect. If you handle sensitive video content, avoid installing or uploading until you have vendor privacy/retention details.

Review Dimensions

Purpose & Capability: okThe skill is a cloud video-trimming frontend and only requests a single service token (NEMO_TOKEN) used to call the nemovideo.ai API, which is appropriate for the stated purpose. One small inconsistency: the registry metadata at the top lists no required config paths, while the SKILL.md YAML frontmatter includes a configPaths entry (~/.config/nemovideo/). This mismatch is likely a documentation gap rather than a functional red flag, but worth confirming.
Instruction Scope: noteSKILL.md instructs the agent to create an anonymous NEMO_TOKEN (POST to /api/auth/anonymous-token) when no token is present, create sessions, upload video files (multipart or URL), and poll render endpoints — all expected for a remote render service. It also describes detecting an install path to set an X-Skill-Platform header (reading filesystem/install path), which requires the agent to examine local paths; this is plausible but worth verifying because it implies filesystem inspection beyond simply receiving an uploaded file. The instructions do not ask the agent to read unrelated secrets or arbitrary user files.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code to download or execute. That is the lowest-risk install pattern and matches the skill description.
Credentials: okOnly one environment variable is declared (NEMO_TOKEN) and it is appropriate for a cloud API client. The SKILL.md also documents obtaining an anonymous token from the service if NEMO_TOKEN is absent; that behavior is consistent with the declared primaryEnv. There are no unrelated credentials requested.
Persistence & Privilege: okThe skill does not request always:true or other elevated persistent privileges, does not ask to modify other skills, and is user-invocable. Autonomous invocation (disable-model-invocation:false) is the platform default and is not itself a problem here.