Skillv1.0.0

ClawScan security

Trimmer In Vlc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 18, 2026, 12:33 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to be a VLC-based trimmer but actually routes uploads to a cloud service (nemovideo) and has inconsistent metadata; uploading videos and providing a token may be fine for its stated cloud workflow, but the name/description and metadata mismatches are a red flag you should understand before installing.
Guidance: This skill appears to be a cloud-based video trimmer (nemovideo) despite its VLC-themed name. Before installing or using it: 1) Understand that videos will be uploaded to https://mega-api-prod.nemovideo.ai — do not send sensitive or private footage unless you trust that service and have read its privacy/terms. 2) The skill asks for NEMO_TOKEN (or will request an anonymous token); prefer using an anonymous/testing token and test with non-sensitive videos first. 3) Note the metadata mismatch (VLC name vs cloud API and inconsistent configPath declarations) — that could be sloppy labeling or a sign of copy-paste errors; ask the publisher for clarification if you need local VLC-only behavior. 4) Check the domain and headers the skill requires (X-Skill-Source, X-Skill-Version, X-Skill-Platform) and confirm you are comfortable the agent will send those on every request. 5) If you don’t want cloud uploads, don’t install — this skill does not perform trimming locally. If you want more assurance, request the publisher to clarify the name, remove confusing configPath metadata, and provide a privacy/terms link for the endpoint.

Review Dimensions

Purpose & Capability: concernThe skill is named and described as a 'Trimmer In VLC' (which implies local VLC integration), but every runtime instruction points to a cloud API (mega-api-prod.nemovideo.ai) and cloud GPU rendering. The required NEMO_TOKEN and the service endpoints make sense for a cloud trimming service, not for VLC. This name/intent mismatch is incoherent and could mislead users about where their video data goes.
Instruction Scope: noteSKILL.md stays mostly within video upload, session creation, SSE, and export flows for the nemovideo API. It instructs using NEMO_TOKEN (if present) or requesting an anonymous token, creating sessions, uploading files, and polling render status. Nothing in the instructions asks to read unrelated local files or other environment variables, but the skill asks to 'keep technical details out of the chat' (a UI guidance) and requires adding attribution headers for every request. The instructions are explicit about network calls and uploading user media — which has privacy implications but is consistent with a cloud trimming service.
Install Mechanism: okInstruction-only skill with no install spec or code files — lowest-risk installation footprint. Nothing is downloaded or written by an install step.
Credentials: noteThe only required credential is NEMO_TOKEN (primaryEnv), which is proportional for a service that requires authentication. However, SKILL.md frontmatter also references a config path (~/.config/nemovideo/) while the registry metadata lists no config paths — this inconsistency is unexplained. The skill will also obtain an anonymous token if no NEMO_TOKEN is present, which means it will make network requests on the user's behalf even without preexisting credentials.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined here with other high-risk factors.