Skillv1.0.0

ClawScan security

Trimmer App · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 4:58 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared needs mostly match a cloud video-trimming service, but there are small inconsistencies around the required NEMO_TOKEN and a declared config path that aren't fully justified by the instructions—verify token handling and where uploads/tokens are stored before installing.
Guidance: This skill appears to be a thin client for the nemovideo.ai cloud trimming service and will upload your video files to that backend. Before installing or providing credentials: 1) Confirm you trust https://mega-api-prod.nemovideo.ai and review its privacy/retention policy for uploaded media. 2) Note the metadata says NEMO_TOKEN is required but the instructions can create an anonymous token—if you set your own NEMO_TOKEN, it may grant longer access/credits; only provide it if you trust the service. 3) Ask the author whether the skill will store tokens or job data under ~/.config/nemovideo/ (metadata lists this path but SKILL.md doesn’t explain it); if so, consider where that data is stored and its protections. 4) If you have sensitive footage, avoid uploading it until you validate the backend. Given the metadata/instructions mismatch, treat the skill as coherent with caution and request clarification from the publisher before trusting private content or supplying a permanent token.

Review Dimensions

Purpose & Capability: noteThe skill is described as a cloud video-trimming front end and all runtime instructions call a remote video-processing API (upload, render, status, credits). That matches the stated purpose. However, the registry declares NEMO_TOKEN as a required environment variable and a config path (~/.config/nemovideo/) even though the SKILL.md explicitly supports creating an anonymous token if NEMO_TOKEN is absent. The presence of the config path in metadata is not explained by the instructions.
Instruction Scope: okSKILL.md limits actions to contacting the nemovideo backend (auth, session, upload, render, credits, state) and streaming SSE. It does not instruct reading arbitrary user files or system secrets beyond the NEMO_TOKEN. It does ask to detect install path to set X-Skill-Platform header, which may require inspecting where the skill is located, but otherwise stays within its editing remit.
Install Mechanism: okThere is no install spec and no code files; the skill is instruction-only, so nothing is written to disk by an installer. This is the lowest-risk install mechanism.
Credentials: concernThe skill declares a single primary env var (NEMO_TOKEN), which is reasonable for a cloud API. However, the metadata marks it required while the SKILL.md provides a fallback anonymous-token flow if the variable is missing. The metadata also lists a config path (~/.config/nemovideo/) that the instructions never explicitly read or write—this mismatch could indicate sloppy metadata or an undocumented persistence behaviour (e.g., storing tokens locally). Verify whether tokens or job metadata are stored locally and whether providing your own NEMO_TOKEN is necessary or safe.
Persistence & Privilege: okThe skill is not force-included (always: false) and requests no special platform privileges. It does not instruct modifying other skills or global agent settings. Autonomous invocation is permitted (the platform default) but not combined with other high-risk indicators here.