Skillv1.0.0

ClawScan security

Compressor Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 12:04 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video compression) matches its instructions and required credential (NEMO_TOKEN); it is internally coherent, but it will upload user video files to an external service and may obtain/store an anonymous token, so review privacy implications before use.
Guidance: This skill is coherent for cloud-based video compression, but it requires uploading your video files to nemovideo.ai and will use or obtain an API token (NEMO_TOKEN) to do so. Before installing: (1) Ensure you are comfortable with your videos being transmitted to and processed by that external service; avoid uploading sensitive content. (2) Ask how/where the anonymous token or session_id is stored (environment vs a local config file) if you care about persistence or revocation. (3) Verify the service domain (mega-api-prod.nemovideo.ai) and privacy terms if this is for confidential material. If you need offline/local-only compression, this skill is not suitable.

Review Dimensions

Purpose & Capability: okName/description (compress/export videos) align with the runtime instructions: the SKILL.md describes uploading videos, creating a session, sending SSE messages, and requesting renders from https://mega-api-prod.nemovideo.ai. The only declared environment credential (NEMO_TOKEN) is appropriate for a remote API-backed compression service.
Instruction Scope: noteInstructions stay within the stated purpose (auth, session creation, upload, render, poll, download). They explicitly instruct uploading user files to the vendor's cloud endpoints and using SSE for interactive edits. Minor ambiguity: the doc says 'Store the returned session_id' but does not specify persistence location; the frontmatter mentions a config path (~/.config/nemovideo/) and the agent is told to detect install path for X-Skill-Platform headers — these imply reading/writing small local state, but the SKILL.md doesn't instruct arbitrary host-file access beyond user-supplied video paths. Users should expect their videos to be transmitted to an external service.
Install Mechanism: okNo install spec or code files are present (instruction-only), so nothing is written to disk by an installer. This is the lowest-risk install profile.
Credentials: noteOnly NEMO_TOKEN is required which is proportionate for a remote API. Metadata also lists a config path (~/.config/nemovideo/) and primaryEnv NEMO_TOKEN — reasonable for persisting session tokens, though SKILL.md does not clearly state whether or where tokens/session IDs are persisted. That small mismatch (declared config path vs unspecified persistence) is worth noting.
Persistence & Privilege: okThe skill is not always-enabled and uses normal model invocation. It does not request elevated platform privileges. The only persistence implied is storing a session_id or token for API calls (normal for a client of a cloud service).