v1.0.0

Video Trimmer High

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 10:32 PM.

Analysis

This looks like a purpose-aligned cloud video trimming skill, but it will contact an external NemoVideo API, use a token, upload media, and keep cloud session/render state.

GuidanceInstall this only if you are comfortable sending raw video files to `https://mega-api-prod.nemovideo.ai` and using a NemoVideo token or generated anonymous token. Avoid uploading sensitive footage unless you trust the provider, and review export/credit usage for important projects.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

The backend responds as if there's a visual interface. Map its instructions to API calls: ... "click" or "点击" → execute the action via the relevant endpoint

The skill makes remote backend responses actionable by translating GUI-style text into API calls. This is disclosed and purpose-aligned for video editing, but it means the backend can influence follow-up actions within the workflow.

User impactThe remote service may guide editing or export steps after you submit a request.

RecommendationUse the skill for intended video-editing tasks and review important or credit-consuming actions such as export before relying on the result.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Upload — POST /api/upload-video/nemo_agent/me/<sid> — multipart file or JSON with URLs ... Export — POST /api/render/proxy/lambda ... Poll GET /api/render/proxy/lambda/<id>

The skill uses external API operations to upload media, render, poll status, and return a download URL. These actions are central to cloud video trimming, but they are meaningful operations on user files and rendering credits.

User impactYour uploaded video will be processed by the external service, and export jobs may consume service credits.

RecommendationOnly upload videos you are comfortable processing through the NemoVideo cloud API, and confirm exports when cost or confidentiality matters.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none

The registry metadata does not provide a source repository or homepage for a skill that depends on an external cloud API. There is no local package or script provenance issue in the provided artifacts, but provider provenance is limited.

User impactYou have less independent information about who operates or maintains the remote processing service.

RecommendationVerify the provider and service terms before uploading sensitive or valuable media.

Cascading Failures

SeverityInfoConfidenceMediumStatusNote

SKILL.md

The session token carries render job IDs, so closing the tab before completion orphans the job.

The skill discloses that an interrupted session can leave a cloud render job orphaned. This is limited to the render workflow, but users should know jobs may not cleanly stop if the session is interrupted.

User impactA render may continue or become hard to track if you close the session before it finishes.

RecommendationWait for exports to complete when possible, and check job/status information before starting duplicate renders.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Include `Authorization: Bearer <NEMO_TOKEN>` ... Free token: Generate a UUID as client identifier, then POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`

The skill uses a NemoVideo bearer token or creates an anonymous token for access to the processing API. This is expected for the integrated service and there is no artifact evidence of token printing, hardcoding, or unrelated use.

User impactThe skill can act against the NemoVideo API using the configured or generated token, including checking credits and starting render jobs.

RecommendationUse a token intended for this service, avoid sharing it elsewhere, and monitor credit usage if it is tied to an account.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Save `session_id` from the response ... The session token carries render job IDs ... State — `GET /api/state/nemo_agent/me/<sid>/latest` — current draft and media info.

The workflow uses session IDs and cloud-side draft/media state. This persistence is expected for render jobs, but it means video project context may remain associated with a session.

User impactYour project state, media metadata, and render job references may persist in the remote service during the session/job lifecycle.

RecommendationAvoid uploading sensitive footage unless you trust the service, and clear or abandon sessions according to the provider's controls if available.