Skillv1.0.0

ClawScan security

Video Trimmer Download For Pc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 11:18 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a cloud-based video-trimming service but has small incoherences (metadata vs registry) and instructions that may require reading local paths / fingerprinting the environment and will upload user videos to an external API — review before installing.
Guidance: What to check before installing: - Understand that using this skill will upload your videos to an external service (mega-api-prod.nemovideo.ai). Do not send sensitive/private footage unless you trust the service and its privacy policy. - The skill will look for NEMO_TOKEN in the environment; if absent it will call an anonymous auth endpoint to obtain a temporary token. Decide whether you prefer to supply your own token rather than letting the agent request one. - Clarify the metadata mismatch: SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) and requests auto-detection of an install path for X-Skill-Platform — ask the publisher why filesystem access is needed and whether the agent will read or store files in that location. - The skill requires adding custom headers that identify the skill and platform; these can fingerprint your environment. If you are uncomfortable exposing install-path-derived platform info, do not enable the skill or request the publisher to remove that requirement. - Verify the service domain and ownership (nemovideo.ai) and confirm retention/usage policies for uploaded video and extracted metadata. If you cannot validate the backend operator, treat the skill as higher risk. If you need help composing specific questions for the publisher (e.g., token persistence, config path usage, data retention), I can draft them.

Review Dimensions

Purpose & Capability: noteStated purpose (cloud video trimming/export) aligns with required credential NEMO_TOKEN and the API endpoints described. Asking for a token and calling a render/upload API is coherent with the described feature set. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) even though the registry metadata earlier showed no required config paths — that mismatch is unexplained and worth clarifying.
Instruction Scope: concernInstructions direct the agent to examine the environment for NEMO_TOKEN (expected) and, if missing, to call an anonymous auth endpoint to obtain a token. They also require attaching attribution headers and ask to auto-detect an install path to populate X-Skill-Platform (i.e., reading install filesystem information). The skill will upload user-supplied video files to an external domain (mega-api-prod.nemovideo.ai). These behaviors are understandable for a cloud service but expand scope to network access and potential filesystem inspection/fingerprinting — the SKILL.md does not justify reading install/config paths or explain token persistence.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This is the lowest install risk (no downloads or extracts).
Credentials: concernThe skill declares a single required environment variable (NEMO_TOKEN), which is proportionate. But the frontmatter's configPaths entry (~/.config/nemovideo/) implies the agent may read local config files, and the instructions ask to auto-detect an install path for X-Skill-Platform — both would grant access to filesystem metadata beyond a single API token. The registry metadata earlier contradicted that (it showed no config paths), creating an unexplained discrepancy.
Persistence & Privilege: okalways:false and no install steps that modify other skills or agent-wide settings. The skill does create session tokens and may reuse anonymous tokens but does not request permanent elevated presence.