Skillv1.0.0

ClawScan security

Video Frames Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 10:59 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared requirements and runtime instructions are generally consistent with a cloud-based video frame extraction service, but there are small metadata inconsistencies and privacy trade-offs (it uploads your video to an external API and uses a token) you should review before installing.
Guidance: This skill appears to do what it says — it will upload videos to mega-api-prod.nemovideo.ai and use a NEMO_TOKEN (or automatically request a short-lived anonymous token). Before installing: 1) Decide whether you are comfortable sending your media to that external domain and review its privacy/retention policy (no homepage provided in the registry). 2) Note the skill may generate and use an anonymous token (100 free credits, 7-day expiry) if NEMO_TOKEN is not set; if you prefer to control the token, set NEMO_TOKEN yourself. 3) There's a small metadata inconsistency: SKILL.md mentions ~/.config/nemovideo/ while the registry said no config paths — ask the author which is true. 4) Test first with non-sensitive video, and verify your agent runtime does not log or persist tokens unintentionally. If you need higher assurance, request the skill’s source or an official service/privacy link before proceeding.

Review Dimensions

Purpose & Capability: okThe skill is described as a cloud-based video frame extraction service and its runtime instructions only reference a single external video-processing backend and a single credential (NEMO_TOKEN), which is appropriate for that purpose.
Instruction Scope: noteInstructions are narrowly scoped to creating a session, uploading video, driving SSE/chat, polling export status, and returning download URLs. It will upload user-provided videos to https://mega-api-prod.nemovideo.ai and will attempt to obtain an anonymous token if NEMO_TOKEN is not provided; this network activity is expected but you should confirm you’re comfortable sending your media to that endpoint.
Install Mechanism: okNo install spec or code files — instruction-only skill. This is the lowest-risk install model (nothing written to disk by an installer).
Credentials: noteThe skill only requires a single credential (NEMO_TOKEN), which matches the declared purpose. However, SKILL.md frontmatter also references a config path (~/.config/nemovideo/) for metadata even though the registry metadata earlier listed no required config paths — that's an internal inconsistency to confirm. The skill will also create an anonymous token via an external API if no token is present.
Persistence & Privilege: okalways:false and normal autonomous invocation settings. The skill expects to keep a session_id in-memory during interactions; there is no explicit instruction to modify other skills or system-wide settings. Confirm whether your agent runtime persists session data to disk and where.