Skillv1.0.0

ClawScan security

Product Video Cutter Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 11:20 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video trimming) matches the API calls it describes and the single required credential (NEMO_TOKEN), but there are small inconsistencies and privacy/telemetry concerns you should understand before installing or uploading sensitive videos.
Guidance: This skill appears to do what it says (upload your footage to a remote rendering service and return trimmed clips) and only asks for one credential (NEMO_TOKEN). Before installing or using it: - Remember you will be uploading video to an unknown third-party host (mega-api-prod.nemovideo.ai). Do not upload sensitive or confidential footage until you confirm the provider's privacy policy and security practices. - Prefer supplying your own NEMO_TOKEN (if you have one) rather than letting the skill generate an anonymous token, and store that token securely. Treat NEMO_TOKEN as a secret. - Ask the skill author to clarify the metadata inconsistency: SKILL.md includes a configPaths entry (~/.config/nemovideo/) and mentions detecting install paths for headers — confirm whether the agent will read local files or only compute headers from known install locations without reading other config or secrets. - If you are uncomfortable with any local path inspection, do not grant the skill access to your filesystem or run it in an environment with sensitive files. Given the lack of an author homepage or source and the subtle metadata/registry mismatch, exercise caution and seek clarification before uploading real production or private videos.

Review Dimensions

Purpose & Capability: okThe name and description (product video cutting) align with the runtime instructions: creating sessions, uploading video files, streaming edits, and requesting renders from https://mega-api-prod.nemovideo.ai. Requesting a single token (NEMO_TOKEN) is proportionate for a hosted service API.
Instruction Scope: noteInstructions stay within the stated purpose (session creation, upload, SSE, render/polling). However, the SKILL.md instructs generating anonymous tokens and saving them as NEMO_TOKEN, and it describes deriving headers that include an installation path detector (e.g., checking ~/.clawhub/ or ~/.cursor/skills/), which implies the agent may inspect local paths. The SKILL.md does not explicitly instruct reading other system secrets, but the install-path detection and a metadata configPaths entry (~/.config/nemovideo/) could encourage reading local config — ask the author to clarify what local files, if any, the agent will access.
Install Mechanism: okNo install spec and no code files (instruction-only) — lowest install risk. The skill simply describes remote API usage; nothing is downloaded or written by an installer in the manifest.
Credentials: noteOnly NEMO_TOKEN is required, which is appropriate for a hosted video-processing API. Still, the skill may create and store an anonymous token if none exists. Treat NEMO_TOKEN as a sensitive credential — the skill will use it for all API calls. The metadata references a config path (~/.config/nemovideo/) even though the registry reported no required config paths; this mismatch should be clarified.
Persistence & Privilege: okThe skill is not set to always:true and does not request system-wide persistence. It does instruct saving a session_id returned by the API (expected for interactive sessions). Autonomous invocation is allowed by default but not combined with other high-risk requests.