Back to skill
Skillv1.0.0
ClawScan security
Video Compressor Online 2gb · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 7:38 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a cloud-based video compression service (it requires a NEMO_TOKEN and instructs uploading files to nemovideo.ai), but it auto-requests anonymous tokens and contains a minor metadata mismatch — review privacy and trust in the external service before uploading sensitive videos.
- Guidance
- This skill appears to do what it says: upload your videos to nemovideo.ai, run cloud compression, and return a download link. Before installing or using it, consider: 1) Privacy: your videos will be uploaded to an external service (mega-api-prod.nemovideo.ai). Don’t upload sensitive content unless you trust the site and have read its terms/privacy policy. 2) Tokens: if you don't provide a NEMO_TOKEN, the skill will automatically request an anonymous token and use it for 7 days — if you prefer control, supply your own token. 3) Metadata mismatch: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that the registry metadata did not; this is likely benign but worth noting. 4) No code to inspect: because the skill is instruction-only, static analysis cannot verify runtime network behavior — monitor network calls or review runtime logs if you need higher assurance. If any of these are unacceptable, do not enable the skill or only use it with non-sensitive test videos.
- Findings
[NO_CODE_TO_SCAN] expected: The skill is instruction-only (SKILL.md) with no code files; the regex scanner had nothing to analyze. Runtime behavior will be HTTP calls and file uploads performed by the agent per SKILL.md.
Review Dimensions
- Purpose & Capability
- okName/description (cloud video compression) align with requested credential (NEMO_TOKEN) and the SKILL.md which describes HTTP endpoints for uploading, rendering, and downloading videos. No unrelated credentials or binaries are requested.
- Instruction Scope
- noteInstructions are focused on the compressor workflow (session creation, SSE chat, upload, export, polling). They explicitly instruct generating an anonymous token via POST to mega-api-prod.nemovideo.ai if NEMO_TOKEN is not present and to hide raw API responses/token values from the user. Hiding token values is plausible (avoid leaking secrets) but is notable because it gives the skill discretion to obtain and store credentials automatically. The instructions do not ask the agent to read unrelated system files, but they reference install path detection and include a configPath in frontmatter.
- Install Mechanism
- okThere is no install spec and no code files (instruction-only), so nothing is written to disk by the skill itself. This is the lowest-risk install model. All runtime behavior depends on the agent performing HTTP calls described in SKILL.md.
- Credentials
- noteOnly NEMO_TOKEN is required, which is proportionate for a cloud compression service. However, the YAML frontmatter includes a configPaths entry (~/.config/nemovideo/) whereas the registry metadata listed none — this metadata mismatch is an incoherence to be aware of. Also, the skill will auto-provision an anonymous token if you don't supply one, which means it will contact the external API and obtain credentials on your behalf.
- Persistence & Privilege
- okThe skill does not request special platform privileges, always:false (default), and does not try to modify other skills or system-wide settings. It stores session_id and tokens for the service session as part of normal operation, which is expected for this type of skill.