Back to skill
Skillv1.0.0
ClawScan security
Video Trimmer Cutter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 11:24 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions broadly match a cloud video-trimming service; nothing appears intentionally deceptive, but there are a few small inconsistencies and privacy considerations to review before installing.
- Guidance
- This skill looks like a straightforward client for the nemo video-rendering API, but it sends your uploaded video files and (if present) your NEMO_TOKEN to https://mega-api-prod.nemovideo.ai. Before installing, consider: (1) Do you trust that external service to process and store your videos? Avoid uploading sensitive or private footage. (2) The skill can obtain an anonymous token itself if you don't provide one — it will make network calls to mint that token. (3) The runtime asks the agent to inspect some filesystem paths to set an attribution header (it references install directories beyond the declared config path); this is a minor inconsistency but means the skill may check for agent install locations. If any of these are unacceptable, do not install the skill. If you proceed, prefer using a limited/throwaway token and review the third‑party service's privacy/security documentation.
Review Dimensions
- Purpose & Capability
- okName/description align with the actions in SKILL.md (upload video, request cloud render, download result). Requiring a single API token (NEMO_TOKEN) is consistent with a cloud backend integration.
- Instruction Scope
- noteMost instructions stay on-task (establish session, upload files, poll render status, download URL). The skill instructs the agent to read this file's YAML frontmatter for attribution (expected) and to detect the agent install path by checking ~/.clawhub/ and ~/.cursor/skills/ to set X-Skill-Platform — this requires inspecting filesystem paths beyond the declared config path and is not strictly necessary for core trimming functionality.
- Install Mechanism
- okInstruction-only skill with no install spec or downloaded code — lowest risk from install mechanics.
- Credentials
- noteOnly NEMO_TOKEN is required (primary credential) which is proportionate for a third-party cloud API. The skill also supports generating an anonymous token by calling the remote API if no token is present. Metadata lists a config path (~/.config/nemovideo/), but runtime instructions reference other install paths (~/.clawhub/, ~/.cursor/skills/) — a small mismatch in declared vs. accessed paths.
- Persistence & Privilege
- okalways:false and normal model invocation. The skill does not request permanent presence or attempt to modify other skills or system-wide settings.