Back to skill
Skillv1.0.0
ClawScan security
Audio Cutter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 2:30 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with an audio-trimming cloud service: it needs a NEMO_TOKEN (or will obtain an anonymous token) and uploads user media to nemovideo.ai for processing.
- Guidance
- This skill will upload any audio/video files you give it to mega-api-prod.nemovideo.ai and needs a NEMO_TOKEN (or will request a temporary anonymous token). Confirm you are comfortable with the privacy implications before uploading sensitive recordings. Note the SKILL.md mentions reading an install path and a local config directory (~/.config/nemovideo/) — clarify with the publisher whether the skill will read local files or write tokens to disk. If you supply a NEMO_TOKEN, ensure it is scoped appropriately and not a high-privilege credential for other services. Finally, verify the service's privacy/terms (homepage is not provided) before sending confidential data.
Review Dimensions
- Purpose & Capability
- noteName and description match the instructions: the skill uploads media and requests a session/token from mega-api-prod.nemovideo.ai to perform trimming and export. The single required credential, NEMO_TOKEN, is appropriate for an external render service. Minor inconsistency: the registry metadata reported no required config paths, but the SKILL.md frontmatter lists a config path (~/.config/nemovideo/). This is likely benign but should be clarified.
- Instruction Scope
- noteSKILL.md instructs the agent to read NEMO_TOKEN from environment (declared), create sessions, upload files, stream SSE responses, and poll status endpoints — all coherent for a cloud render workflow. It also advises detecting an install path to set X-Skill-Platform (references ~/.clawhub/ and ~/.cursor/skills/), and the frontmatter references a config path; those require the agent to inspect local paths, which is not strictly necessary for core functionality and is worth noting. All network interactions go to mega-api-prod.nemovideo.ai (expected). The instructions will cause user audio files to be transmitted to an external service — normal for this skill but privacy-sensitive.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest risk from installation. Nothing is downloaded or written to disk by an installer.
- Credentials
- noteOnly NEMO_TOKEN is declared as required and is used by the API, which is proportionate. The skill will fall back to obtaining an anonymous token via the public auth endpoint if no token is present, so it does not force provision of other secrets. The SKILL.md's frontend metadata referencing a config path (~/.config/nemovideo/) is inconsistent with the registry and implies optional access to a local config directory — this should be clarified.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills, and has no install-time persistence. Autonomous invocation is enabled (platform default) but not combined with elevated privileges or wide credential access.