Skillv1.0.0

ClawScan security

Compressor Online 2gb · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 4:43 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose: it is an instruction-only connector that uploads user videos to a specific cloud API using a single token (NEMO_TOKEN) and does not request unrelated credentials or install software locally.
Guidance: This skill will upload your video files to mega-api-prod.nemovideo.ai and uses a single bearer token (NEMO_TOKEN) for API calls. If you don't provide NEMO_TOKEN, the skill will call the service's anonymous-token endpoint to obtain a short-lived token automatically. Before installing, consider: 1) Privacy — uploading videos to an external service may expose sensitive content; avoid uploading private/confidential footage. 2) Token handling — the skill may persist tokens in ~/.config/nemovideo/ (metadata lists that path); if you prefer, provide your own NEMO_TOKEN rather than letting it create one. 3) Trust & provenance — the source/homepage are unknown; verify the remote domain and the service's privacy/terms if you plan to use it for important data. 4) Limits — tokens expire after 7 days and exports may be blocked by plan/credits. If any of that is unacceptable, do not enable the skill or only use non-sensitive sample files.

Purpose & Capability: okName/description match the instructions: the SKILL.md describes uploading videos and driving a cloud render pipeline at mega-api-prod.nemovideo.ai. Required credential (NEMO_TOKEN) and API endpoints align with a cloud video-compression service.
Instruction Scope: noteInstructions explicitly upload user files to an external cloud endpoint, create sessions, stream SSE, and poll render status — all expected for a cloud compression service. Note: the skill will attempt to obtain an anonymous token itself if NEMO_TOKEN is not present, which means it will call the auth endpoint without an explicit user-provided token; users should expect their files to be sent to the remote service.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This minimizes local install risk (nothing is downloaded or written by an installer step).
Credentials: noteOnly NEMO_TOKEN is required (appropriate for a single cloud API). Metadata also lists a config path (~/.config/nemovideo/) which is plausible for storing tokens, but SKILL.md does not explicitly describe reading/writing that path — a small mismatch to be aware of. The skill may generate an anonymous token itself if none is provided.
Persistence & Privilege: okalways:false and normal autonomous invocation settings. The skill does not request elevated platform privileges or system-wide configuration changes.