v1.0.0

Trimmer Mp3

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 10:40 PM.

Analysis

This looks like a legitimate cloud-based audio/video trimming connector, but it sends user files and prompts to NemoVideo and uses a service token.

GuidanceThis skill is reasonable for cloud trimming/export tasks, but treat it like any third-party media-processing service: use a dedicated token, avoid sensitive recordings unless you trust NemoVideo, and keep the session open until renders finish.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

/api/upload-video/nemo_agent/me/<sid> | POST | Upload a file (multipart) or URL. ... /api/render/proxy/lambda | POST | Start export.

The skill can upload user media and start cloud render/export jobs. These actions are central to the stated trimming/export purpose, but they are externally hosted operations.

User impactUser-provided media may be uploaded and processed by the NemoVideo backend to complete the requested trim/export task.

RecommendationOnly upload files you are comfortable processing through the external cloud service, and review export requests before starting large jobs.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none

The registry metadata does not provide source or homepage provenance. There is no local install code, but the user must trust the hosted backend and skill publisher.

User impactUsers have less provenance information for deciding whether to trust the skill and its external backend.

RecommendationPrefer using this skill with non-sensitive files unless you trust the publisher and NemoVideo service.

Cascading Failures

SeverityLowConfidenceHighStatusNote

SKILL.md

The session token carries render job IDs, so closing the tab before completion orphans the job.

The artifact explicitly notes that cloud render jobs can become orphaned if the user leaves before completion, which could consume time or credits without a visible local session.

User impactA started render may continue or become hard to track if the chat/tab is closed.

RecommendationWait for render completion or status updates before closing the session, especially for large files.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

SKILL.md

Tell the user you're ready. Keep the technical details out of the chat.

The skill asks the agent not to show backend connection details in chat. This can be a normal UX choice, but users should still understand the service is connecting to a third-party backend.

User impactA user may not see every token/session/API step during normal use.

RecommendationThe skill should keep user-facing messaging clear that files are processed by NemoVideo's cloud service.

Rogue Agents

SeverityInfoConfidenceMediumStatusNote

SKILL.md

closing the tab before completion orphans the job

A render job may continue on the backend after the user closes the tab. This is disclosed and tied to user-initiated rendering, not evidence of self-propagation or hidden autonomous behavior.

User impactCloud work may outlive the visible chat session after an export is started.

RecommendationStart exports intentionally and monitor status until completion.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

All requests must include: Authorization: Bearer <NEMO_TOKEN>

The skill uses a bearer token for the NemoVideo API. This is expected for the integrated service and no artifact evidence shows unrelated credential use.

User impactThe service token authorizes API calls and may be tied to credits, sessions, or account state.

RecommendationUse a dedicated NemoVideo token if available and avoid sharing tokens with unrelated services.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

The session_id in the response is needed for all following requests.

The backend session links later upload, edit, state, and render operations. This is expected for a media-editing workflow but means task context is maintained remotely.

User impactProject state and render context may persist in the NemoVideo session while the workflow is active.

RecommendationAvoid uploading sensitive media unless you are comfortable with the backend retaining session state for processing.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

/run_sse | POST | Send a user message. Body includes app_name, session_id, new_message. Stream response with Accept: text/event-stream.

User messages are sent to an external backend over an SSE workflow. This is disclosed and aligned with the cloud-editing purpose, but it is a third-party communication boundary.

User impactPrompts, session identifiers, and uploaded media can be processed by the remote service.

RecommendationDo not use the skill for confidential recordings or private media unless you trust the external provider's handling of that data.