Skillv1.0.0

ClawScan security

Ai Video Compressor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 10:05 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions match its stated purpose (remote AI video compression); it only needs a single service token and uploads user videos to the vendor's API as expected.
Guidance: This skill appears to do what it says: it will upload videos to the remote nemo-video service and use NEMO_TOKEN (or obtain a short-lived anonymous token) to run GPU-based compression. Before installing or using it, consider: 1) Privacy: your videos are transmitted to an external service (mega-api-prod.nemovideo.ai). Don’t upload sensitive content you wouldn’t want sent off-host. 2) Credentials: the skill only requires NEMO_TOKEN; if you have a long-lived token for other uses, avoid exposing it here or inspect how you provide it. If no token exists, the skill will request an anonymous token from the vendor (100 free credits, 7 days) using a generated client ID. 3) Local config: metadata references ~/.config/nemovideo/ and checks install paths to set X-Skill-Platform — the agent may inspect its environment/install path; this is low risk but be aware. 4) Autonomous invocation: the skill can be invoked by the agent during a session (normal behavior); if you want to restrict automatic calls, control skill usage in your agent settings. If you need higher assurance, ask the publisher for a privacy/TOU link or request an audited endpoint and avoid uploading sensitive material until you verify the vendor.

Review Dimensions

Purpose & Capability: okName and description describe remote video compression. The only declared credential is NEMO_TOKEN, which is appropriate for calling the nemo-video backend API described in SKILL.md. No unrelated credentials, binaries, or installers are requested.
Instruction Scope: noteThe SKILL.md instructs the agent to read NEMO_TOKEN from the environment (declared), create an anonymous token via the vendor endpoint if absent, create sessions, upload user video files, stream SSE responses, and poll render status — all expected for a remote compression service. It also instructs deriving X-Skill-Platform from the install path (e.g., ~/.clawhub/ or ~/.cursor/skills/), which implies the agent may inspect its runtime/install path; this is minor but worth noting.
Install Mechanism: okThere is no install spec and no code files — instruction-only — so nothing is downloaded or written to disk by the skill itself. This is the lower-risk case.
Credentials: okOnly NEMO_TOKEN is required (declared as primaryEnv). The skill describes an anonymous-token fallback it will request from the vendor if no token is present. No unrelated secrets or system credentials are requested.
Persistence & Privilege: noteThe skill is not set to always:true and is user-invocable. Metadata includes a config path (~/.config/nemovideo/) which may indicate where the vendor or the agent could store tokens/config; SKILL.md does not explicitly instruct writing to that path, but the presence of that config path suggests possible local config usage — a minor persistence signal to be aware of.