Skillv1.0.0

ClawScan security

Trimmer Ezgif · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 23, 2026, 2:56 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's required credential and runtime instructions line up with a cloud video-trimming service, but there are a couple of small metadata inconsistencies and privacy implications you should review before using it.
Guidance: This skill appears to do what it says: it uploads your video to a nemovideo.ai backend, trims/exports it, and returns a download URL. Before installing, consider: 1) Privacy — your media will be uploaded to an external service (mega-api-prod.nemovideo.ai); don't upload sensitive videos. 2) Credentials — prefer using a short-lived anonymous token (the instructions support acquiring one) instead of a long-lived account token if you don't trust the publisher. 3) Metadata mismatch — SKILL.md references ~/.config/nemovideo/ (and derives an X-Skill-Platform from install paths) while registry metadata did not list configPaths; ask the publisher which local paths (if any) the skill will read. 4) Unknown publisher — because the source/homepage is unknown, verify the service's privacy/security policy before sending private content. If you need higher assurance, request the author/publisher to provide a homepage or official source and to clarify the configPath usage.

Purpose & Capability: noteName/description describe a cloud video trimmer and the skill asks for one service credential (NEMO_TOKEN) and describes calls to a nemaovideo.ai API — this is coherent. Minor inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths; that mismatch should be clarified.
Instruction Scope: okSKILL.md instructions stay on-topic: authenticate (use NEMO_TOKEN or acquire an anonymous token), create a session, upload media, drive edits via SSE or REST endpoints, and poll for export. It does not instruct reading unrelated files or requesting unrelated credentials.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing is written to disk by the skill itself. That is the lowest-risk install model.
Credentials: noteOnly NEMO_TOKEN is required, which is proportional for a cloud service. Note the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) and refers to deriving an X-Skill-Platform header from an install path — these imply the skill may inspect local paths or config if present, even though the registry top-level metadata did not list config paths. Confirm whether the skill will access that local config directory.
Persistence & Privilege: okalways:false and normal model invocation are used. The skill does not request permanent system-wide privileges or changes to other skills' configs.