Skillv1.0.0

ClawScan security

Video Compressor Iphone · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 12:39 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud video-compression integration: it needs a single service token, talks to a documented API, and has no install footprint or unrelated credentials.
Guidance: This skill will upload your videos to a third-party backend (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN to authorize requests. If you don't supply NEMO_TOKEN the skill will request an anonymous token from the vendor and use it for the session. Before installing, consider: 1) Trust — you are sending video content to an external service; verify their privacy/retention and whether you want that content off your device. 2) Tokens/config — the skill may read ~/.config/nemovideo/ or detect install paths to find persisted tokens; inspect that folder if you have concerns. 3) Sensitive data — do not place other secrets in NEMO_TOKEN or in the declared config path. 4) Costs/credits — anonymous tokens mention limited credits/expiry; check pricing or potential charges. If you are comfortable with those trade-offs, the skill's requested access appears proportionate to its stated purpose.
Findings: [no-findings] expected: The regex-based scanner had nothing to analyze because this is an instruction-only skill with no code files. That absence is expected; it does not imply safety of external API interactions.

Review Dimensions

Purpose & Capability: okName and description (compress iPhone videos via cloud) align with the declared requirement for a NEMO_TOKEN and the SKILL.md's calls to a nemovideo.ai backend. There are no unrelated env vars or binaries requested.
Instruction Scope: noteSKILL.md stays within the compressor domain: check for NEMO_TOKEN, optionally obtain an anonymous token from the vendor, create a session, upload video files, poll export status, and return a download URL. It instructs the agent to include attribution headers and to map GUI-like commands to API calls. Minor scope notes: the skill derives an X-Skill-Platform header by inspecting common install paths (reads install path), and the metadata declares a config path (~/.config/nemovideo/). These imply the agent may read small parts of the user's home config to detect platform or existing tokens — behavior that is explainable but worth noting for privacy.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is downloaded or written by an installer. This is the lowest-risk install profile.
Credentials: noteOnly one primary env var is required (NEMO_TOKEN), which is proportional to a cloud API integration. The metadata also declares a config path (~/.config/nemovideo/) — plausible (to find persisted tokens/config), but it expands the skill's access surface to the user's config directory. No unrelated credentials (AWS, GitHub, etc.) are requested.
Persistence & Privilege: okalways:false and user-invocable:true (defaults) — the skill does not request permanent presence or system-level changes, nor does it instruct modifying other skills. It may create ephemeral session tokens for uploads but does not require elevated privileges.