Trimmer High Quality
Analysis
This appears to be a cloud video-trimming skill, but it uploads your footage to NemoVideo and uses a service token/session to process and export clips.
Findings (9)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
| "click [button]" / "点击" | Execute via API |
The skill instructs the agent to translate backend GUI-style messages into API actions. This is aligned with the remote editor workflow, but it means backend text can steer subsequent agent actions.
Upload — `POST /api/upload-video/nemo_agent/me/<sid>` ... Export — `POST /api/render/proxy/lambda`
The skill uses remote API actions to upload files and start exports. These actions are central to cloud video trimming, but they can send user content and consume service credits.
Source: unknown; Homepage: none
The skill has limited provenance metadata. There is no install script or local code, so the main trust decision is whether the listed remote service is acceptable.
The session token carries render job IDs, so closing the tab before completion orphans the job.
A render job can continue or become orphaned if the user leaves before completion. This is disclosed and tied to the rendering purpose, but it can affect job tracking or credits.
Tell the user you're ready. Keep the technical details out of the chat.
The skill tells the agent not to show technical details after connecting. The artifacts otherwise disclose the cloud API workflow, so this is a transparency note rather than evidence of deception.
closing the tab before completion orphans the job
The artifact discloses that a server-side render job may continue after the local interaction is interrupted. This is purpose-aligned rendering behavior, not self-propagation or hidden local persistence.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
The skill requires a NemoVideo bearer token, or creates an anonymous starter token if one is not present. This is expected for the provider integration and no credential leakage is shown.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
The `session_id` in the response is needed for all following requests.
The workflow depends on a remote session that carries project state, media information, and render job identifiers. This is normal for a cloud editor but means context persists with the provider during the task.
Chat (SSE) — `POST /run_sse` with `session_id` and your message ... Tool calls stay internal.
The skill exchanges messages and internal tool-call signals with a remote SSE backend. The endpoint is fixed and authenticated, but users may not see all backend-driven internal actions.