Back to skill
Skillv1.0.0
ClawScan security
How To Make Clips Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 5:23 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (cloud-based video clipping) aligns with its runtime instructions and the single required credential (NEMO_TOKEN), with only minor inconsistencies and expected privacy considerations when uploading videos to a third-party service.
- Guidance
- This skill appears to do what it says: it sends your uploaded videos to mega-api-prod.nemovideo.ai for cloud-based clipping and returns download links. Before installing or using it: (1) confirm you trust the service at mega-api-prod.nemovideo.ai and its privacy policy because your raw videos will be uploaded; (2) if you prefer control, set NEMO_TOKEN yourself (rather than relying on anonymous-token generation) and revoke it when done; (3) note the minor metadata mismatch (the SKILL.md references a config path and install-path detection) — if you care about strict privacy, ask the skill author why that is needed or avoid running in environments where the agent could read arbitrary install paths; (4) avoid uploading sensitive content unless you have verified the provider.
Review Dimensions
- Purpose & Capability
- noteThe skill claims to cut and export clips using a cloud API and only requires NEMO_TOKEN — that is coherent. Minor inconsistency: the registry metadata listed no required config paths, but the SKILL.md frontmatter and metadata reference a config path (~/.config/nemovideo/). This is likely benign (informational) but is an unexplained mismatch between packaging metadata and the instruction document.
- Instruction Scope
- noteSKILL.md instructs the agent to create or reuse a NEMO_TOKEN, start sessions, upload user video files, stream SSE responses, poll render status, and return download URLs — all expected for a cloud render service. It also instructs deriving/including attribution headers and detecting the install path to set X-Skill-Platform; the install-path detection is unnecessary for core functionality and implies the agent may inspect installation paths (minor scope creep). The skill will transmit user media to https://mega-api-prod.nemovideo.ai — expected but a privacy consideration.
- Install Mechanism
- okNo install spec and no code files — instruction-only. Low install risk since nothing is downloaded or extracted by the skill itself.
- Credentials
- okOnly a single credential (NEMO_TOKEN) is required. The SKILL.md provides a clear anonymous-token flow if the env var is missing. The level of credential access requested is proportionate to the described cloud rendering task.
- Persistence & Privilege
- okSkill is not always-enabled and does not request system-wide privileges. It instructs saving session_id for the active session (expected) but does not request persistent elevated privileges or modification of other skills.