Skillv1.0.0

ClawScan security

Cutmv Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 5:45 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested credential and runtime instructions are consistent with a cloud-hosted video-cutting service; nothing in the SKILL.md demands unrelated credentials or risky installs, but the skill uploads user videos to an external API and its source is unknown so proceed with caution.
Guidance: This skill appears to be what it claims: a cloud-based video cutting/export tool that will upload user media to https://mega-api-prod.nemovideo.ai and use a NEMO_TOKEN for authorization. Before installing or invoking it: (1) Verify you are comfortable uploading your videos to the external service and check its privacy/retention policy (no homepage/source listed here), (2) prefer setting a NEMO_TOKEN you control instead of relying on an automatically fetched anonymous token, (3) avoid sending sensitive or PII-containing footage, and (4) if you need more assurance, ask the publisher for a homepage, privacy docs, or source code. The skill does reference reading install paths to set an attribution header — this is low-risk but you should be aware the agent may inspect its own install location/config path for header metadata.

Review Dimensions

Purpose & Capability: okThe skill is a remote video-cutting/export tool and it requires a NEMO_TOKEN for API calls to the nemo-video backend — that credential is coherent with the stated purpose. Declared supported formats, endpoints, and required Authorization headers match an external render service.
Instruction Scope: noteInstructions limit actions to creating a session, sending messages, uploading video files, polling render status, and returning download URLs. They do instruct the agent to hide technical details from the chat and to derive a platform header from install paths (which implies reading simple install path info). There is no instruction to read unrelated files, other credentials, or system secrets, but the skill will upload user videos and create/use tokens — users should be aware their media is sent to the external service.
Install Mechanism: okNo install spec or additional packages are required — this is instruction-only so nothing is written to disk by the skill itself. This is the lowest-risk install posture.
Credentials: okOnly a single service credential (NEMO_TOKEN) is required and is declared as primary; the SKILL.md also documents how to obtain an anonymous token if none is present. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege: okThe skill does not request always: true and does not instruct modification of other skills or system-wide settings. It does ask for a session token to interact with the backend (normal for this use case).