Back to skill
Skillv1.0.0
ClawScan security
Video Trimmer Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 12, 2026, 8:30 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with a cloud video-trimming service: it needs a NEMO_TOKEN and uploads user video to nemo's API — nothing requested appears disproportionate to that purpose, though it will send user data to a third party and a small metadata inconsistency should be clarified.
- Guidance
- This skill appears to do what it says: it uploads videos to nemo's cloud service and returns trimmed outputs. Before installing, confirm you're comfortable uploading any videos you send (sensitive content may be exposed to the third party). Note the skill needs a NEMO_TOKEN (or will request an anonymous token on your behalf) — avoid reusing long-lived tokens from other services; use a dedicated token if possible. Ask the publisher to clarify the config-path declaration (~/.config/nemovideo/) vs. the registry metadata mismatch, and verify the service's privacy/retention policy at the API domain (mega-api-prod.nemovideo.ai) if you handle private material.
Review Dimensions
- Purpose & Capability
- noteName/description (video trimming) match the declared primary credential NEMO_TOKEN and the SKILL.md's endpoints at mega-api-prod.nemovideo.ai. The only inconsistency: registry-level metadata reported "Required config paths: none", but the skill's YAML frontmatter declares a config path (~/.config/nemovideo/) in metadata.requires; this is likely an authoring oversight but should be clarified.
- Instruction Scope
- noteSKILL.md instructs the agent to create a session, upload user-sent video files, stream SSE messages, and poll export endpoints — all coherent for a cloud render pipeline. It also instructs reading the skill's YAML frontmatter for attribution headers and detecting install path to set X-Skill-Platform; these are reasonable but imply filesystem access to the skill file and possibly to the agent's home directory to detect an install path.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. This is the lowest-risk install pattern; nothing is downloaded or extracted.
- Credentials
- okOnly NEMO_TOKEN is required (primaryEnv). The SKILL.md provides a fallback anonymous-token acquisition flow if the token is absent. No unrelated credentials, secrets, or multiple tokens are requested.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or permanent presence. It does instruct the agent to create short-lived sessions with the backend but does not attempt to modify other skills or system-wide settings.