Back to skill
Skillv1.0.0
ClawScan security
Free Product Video Cutter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 12, 2026, 12:53 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it claims (cloud video trimming) and only requires a single service token, but there are small metadata inconsistencies and it will auto-create and store a token by calling an external API so you should review that behavior before installing.
- Guidance
- This skill looks coherent for cloud-based video trimming, but before installing consider: (1) it will talk to an external service (mega-api-prod.nemovideo.ai) and can auto-create and persist an anonymous token/session_id — if you prefer control, set NEMO_TOKEN yourself rather than letting the skill generate it; (2) clarify the frontmatter's config path (~/.config/nemovideo/) — find out whether the skill will write/read files there and what it stores; (3) verify the external domain is trusted and acceptable for you to upload video content to (privacy/data policy); and (4) if you have sensitive videos, avoid automatic uploads or test with non-sensitive content first. These checks would raise confidence to high.
Review Dimensions
- Purpose & Capability
- okName/description (cloud GPU video trimming, MP4/MOV/AVI/WebM support) align with the runtime instructions and the NEMO API endpoints referenced. Requesting a NEMO_TOKEN credential is coherent with calling nemovideo.ai. One inconsistency: the registry metadata summary earlier listed no required config paths, but the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/). This mismatch should be clarified.
- Instruction Scope
- noteInstructions are focused on connecting to the nemo backend, uploading files, reading SSE, polling job state, and returning download URLs — all within the stated purpose. The skill instructs automatic anonymous-token creation (POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token), storing returned tokens/session_id, reading its own frontmatter, and detecting an install path to set X-Skill-Platform. These behaviors are expected for a hosted-render workflow but mean the agent will contact an external service and persist auth/session values; the doc also explicitly tells the agent not to display raw token values to the user.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer. Lowest-risk install posture.
- Credentials
- noteThe skill declares a single required credential (NEMO_TOKEN) which is proportional to calling the Nemovideo API. The SKILL.md also references a config path (~/.config/nemovideo/) in its frontmatter; if the agent will read/write that directory, it increases scope beyond just a single in-memory token. Clarify whether the skill will create or read files in that path. No other unrelated secrets or credentials are requested.
- Persistence & Privilege
- okalways:false and model invocation is allowed (default). The skill asks to generate and store an anonymous token/session_id for subsequent calls — normal for a cloud API integration. It does not request permanent platform-wide privileges or to modify other skills' configurations.