Compressor Youtube
Analysis
This skill appears purpose-aligned for cloud video compression, but users should know it uploads videos to a NemoVideo backend and uses a Nemo token/session.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
Backend says | "click [button]" / "点击" | Execute via API
The skill treats certain backend text responses as triggers for follow-up API actions. This is a limited control handoff to the integrated backend, but it is described as part of the intended video workflow.
Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"` ... Export ... POST `/api/render/proxy/lambda`
The skill can upload user-provided files or URLs and start server-side render/export jobs. These are normal tools for a video compression skill, but they are high-impact enough for users to notice.
Source: unknown; Homepage: none
The skill has limited public provenance metadata. There is no local install script or code in the provided artifacts, so this is a provenance note rather than evidence of unsafe installation behavior.
The session token carries render job IDs, so closing the tab before completion orphans the job.
A render job can continue or become untracked after the local session is interrupted. This is disclosed and contained to the remote render workflow.
Upload your large video files ... up to 500MB ... A quick example: upload a 1.2GB YouTube vlog
The instructions contain a size-limit inconsistency and marketing-style claims such as compression without losing quality. This is not evidence of malicious behavior, but users should verify actual limits and output quality.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Check if `NEMO_TOKEN` is set... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... `Authorization: Bearer <token>`
The skill uses a bearer token, either from the environment or an anonymous-token endpoint, to authenticate to the NemoVideo API. This is expected for the disclosed cloud service and no artifact shows token logging or unrelated use.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Store the returned `session_id` for all subsequent requests.
The skill maintains a session identifier and later queries session state containing draft and media information. This is expected for a multi-step render workflow, but it means remote context persists across requests.
The AI video compression runs on remote GPU nodes — nothing to install on your machine... Upload: POST `/api/upload-video/nemo_agent/me/<sid>`
The skill sends user media to an external backend named nemo_agent for processing. The endpoint and bearer-token authorization are disclosed, making this purpose-aligned, but it is still a data boundary users should understand.