Skillv1.0.0

ClawScan security

Ai Rtk Compressor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 10:58 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested credentials, runtime behavior, and network calls are coherent with its stated purpose (uploading and compressing videos via nemo's cloud API), but there are small metadata/instruction inconsistencies and privacy considerations you should review before installing.
Guidance: This skill will upload whatever video files you send to mega-api-prod.nemovideo.ai and use either the NEMO_TOKEN you provide or an anonymous token it obtains for you. Before installing or using it: (1) verify you trust the remote service (check its homepage/privacy/data retention) because your media will leave your machine; (2) confirm the exact meaning and scope of NEMO_TOKEN (what account access it grants) and prefer a limited-scope token or anonymous flow if you do not want to bind an account; (3) ask the author to clarify the metadata mismatch (SKILL.md mentions ~/.config/nemovideo/ and install-path detection but registry metadata showed no config paths) — if the runtime will read local config paths, get details on what is read and why; (4) avoid uploading sensitive or regulated content until you know the service’s retention and deletion policy. If you want stronger assurance, request the skill source or a trusted homepage before proceeding.

Review Dimensions

Purpose & Capability: okName/description (cloud video compression) align with the skill's runtime instructions: it contacts https://mega-api-prod.nemovideo.ai, uploads video files, creates sessions, checks credits and requests exports. Requiring a single API token (NEMO_TOKEN) is expected for this purpose.
Instruction Scope: noteSKILL.md instructs the agent to read NEMO_TOKEN (or obtain an anonymous token), create sessions, upload user video files (multipart) and stream SSE responses. This is within scope for a cloud compressor, but it explicitly transmits user media to an external domain (mega-api-prod.nemovideo.ai) — a privacy consideration. It also references detecting an install path for an X-Skill-Platform header, which implies reading filesystem/install-location information; that is not strictly necessary for compression and should be confirmed.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This has low install-time risk because nothing is downloaded or written to disk by the skill package itself.
Credentials: noteOnly one credential is declared (NEMO_TOKEN) and is used for API authorization — proportionate for a cloud service. However, SKILL.md metadata includes a configPaths entry (~/.config/nemovideo/) and discusses detecting install paths, which suggests the runtime may read local config or path information; the registry summary shown earlier listed no required config paths, so there is a metadata mismatch you should clarify.
Persistence & Privilege: okSkill does not request always:true and has no install-time persistence. It relies on ephemeral sessions with the remote service; no privileges to modify other skills or global agent config are requested.