Skillv1.0.0

ClawScan security

Trimmer Adobe · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 4:26 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (cloud video trimming) matches its runtime actions (uploading video to an external service), but there are manifest/instruction inconsistencies and privacy implications you should understand before using it.
Guidance: This skill will upload whatever video you give it to mega-api-prod.nemovideo.ai and use a bearer token (NEMO_TOKEN) for auth. Before installing or using it: 1) Confirm you trust the nemo service and the domain (privacy, retention, and deletion policies). 2) If videos contain sensitive content, do not use the skill until you can verify data handling. 3) Clarify whether you must set NEMO_TOKEN (manifest says required) or if the skill will create an anonymous token—ask the developer to fix the manifest mismatch. 4) Prefer providing a limited-scope, short-lived token rather than a long-lived account token. 5) If you want to test, try a short, non-sensitive clip first. Additional info that would increase confidence: a homepage/privacy policy for nemo, official developer contact, and explicit statements about how long uploaded media and generated tokens are retained and whether they can be removed on request.

Review Dimensions

Purpose & Capability: noteThe name/description (AI video trimming) aligns with the API endpoints and actions described in SKILL.md (upload, render, export). Requesting a single NEMO_TOKEN credential is proportionate for a cloud service. However, the manifest lists NEMO_TOKEN as required while the SKILL.md describes obtaining an anonymous token itself if NEMO_TOKEN is absent — this mismatch in 'required' vs 'optional via anonymous auth' is inconsistent. The metadata also lists a config path (~/.config/nemovideo/) that the instructions don't actually read or write, which is unnecessary or at least unexplained.
Instruction Scope: noteThe instructions direct the agent to perform network operations to mega-api-prod.nemovideo.ai (session creation, SSE, file upload, render polling) and to upload user-supplied files (multipart or via URL). Those actions are within the expected scope for a cloud-trimming service. Important user-impacting behaviors: videos (potentially sensitive) will be transmitted to a third-party service, and the agent may create an anonymous bearer token on your behalf. The SKILL.md asks the agent not to expose tokens but does not specify retention, data deletion, or retention of uploaded media—these privacy details are missing.
Install Mechanism: okInstruction-only skill with no install spec or code files. This has low install risk because nothing is downloaded or written by an installer; all runtime activity is via the agent following SKILL.md network instructions.
Credentials: concernOnly one credential (NEMO_TOKEN) is declared, which is appropriate. However, the manifest declares NEMO_TOKEN as required while the runtime instructions implement anonymous-token acquisition when it's absent — an inconsistency that should be clarified. The metadata's configPaths entry (~/.config/nemovideo/) is declared but the SKILL.md doesn't instruct reading/writing that path; unnecessary config path declarations can broaden permitted access without explanation. The token is a bearer credential for uploads/renders—granting it permits the service to operate on uploaded media, so confirm you trust the endpoint before providing a long-lived token.
Persistence & Privilege: okalways is false; the skill does not request permanent inclusion or system-wide changes. The SKILL.md describes creating ephemeral session tokens and session IDs for renders, which is normal. There is no instruction to alter other skills or agent system configs.