Clip Maker
Analysis
Clip Maker appears to be a cloud video-clipping skill that uses a NemoVideo token/API to upload and render media, with no malicious behavior evident in the provided artifacts.
Findings (9)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
"click [button]" / "点击" | Execute via API
The instructions make backend text actionable by translating GUI-like backend responses into API operations. This is aligned with the video-editing workflow, but it means remote service responses can steer follow-up actions.
Upload: POST `/api/upload-video/nemo_agent/me/<sid>`; Export: POST `/api/render/proxy/lambda`.
The skill exposes upload and export operations to an external rendering service. These operations are central to the stated purpose and are scoped to media processing.
Source: unknown; Homepage: none
The registry does not provide source or homepage provenance. There is no installable code or package dependency, but users may want to verify the external service/provider before use.
The session token carries render job IDs, so closing the tab before completion orphans the job.
The skill discloses that render jobs are tied to remote session/job IDs and may be orphaned if interrupted. This is a bounded workflow-lifecycle issue rather than broad propagation.
Export (free, no credits) ... `402` — free plan export blocked; not a credit issue, subscription tier
The export path is described as free/no-credit, while the error table notes a subscription-tier block can occur. This is disclosed, but users should not assume all exports will be available without plan limits.
Poll GET `/api/render/proxy/lambda/<id>` every 30s until `status` = `completed`.
The skill may continue polling and a cloud render job may continue until completion. This is disclosed and limited to the user-requested render workflow.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
All requests must include: `Authorization: Bearer <NEMO_TOKEN>` ... Don't print tokens or raw JSON.
The skill requires a bearer token for the video API and includes an instruction not to expose it. This credential use is expected for the integrated service.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Save `session_id` from the response.
The skill maintains a remote session identifier and later queries session state containing drafts, video info, and generated media. This is expected for render continuity but creates session context that may persist during the workflow.
Send message (SSE): POST `/run_sse` ... app_name `nemo_agent` ... Accept: text/event-stream.
The skill communicates with a remote agent-like backend over SSE. The endpoint and bearer-token authentication are disclosed, and the communication is purpose-aligned.