Skillv1.0.0

ClawScan security

Gif Compressor Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 8:14 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based GIF/video compression service — it asks for one service token and instructs uploading media to that service, which matches its purpose.
Guidance: This skill uploads your media to https://mega-api-prod.nemovideo.ai and either uses an existing NEMO_TOKEN or requests an anonymous token on your behalf — check that you trust that domain and its privacy/retention policy before sending sensitive files. Note the SKILL.md references a local config path (~/.config/nemovideo/) even though the registry metadata did not declare it; ask the publisher to clarify where session tokens or session_id are stored. If you need guaranteed privacy, avoid uploading private content or review the service terms first.

Review Dimensions

Purpose & Capability: okName/description (GIF/video compression) align with the runtime instructions (upload, render, export) and the single required env var NEMO_TOKEN; the skill's network endpoints point to a media-processing backend that fits the stated purpose. Minor metadata mismatch: SKILL.md frontmatter declares a config path (~/.config/nemovideo/) but registry metadata lists no required config paths.
Instruction Scope: okSKILL.md narrowly instructs the agent to obtain (or use) a NEMO_TOKEN, create a session, upload files, run exports, and poll status — all actions needed for remote rendering. It does cause user media to be uploaded to a third‑party domain (mega-api-prod.nemovideo.ai), which is expected but a privacy consideration; it also instructs automatic anonymous-token creation if no token is present.
Install Mechanism: okNo install spec or downloaded code — instruction-only skill. This is the lowest install risk and consistent with the content (all runtime actions are remote API calls).
Credentials: noteOnly one credential is required (NEMO_TOKEN), which directly maps to the service used. The skill also describes how to auto-provision an anonymous token via the backend API. The frontmatter mentions a config path (~/.config/nemovideo/) not declared elsewhere — a small inconsistency but not inherently malicious.
Persistence & Privilege: okalways:false and normal invocation/agent-autonomy settings. The skill asks to store session_id for ongoing requests (expected for session-based APIs) but does not request elevated privileges or to modify other skills or system configuration.