Free Hd Browser

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill is a coherent cloud video-processing integration, but users should know it sends selected videos and an access token to an external Nemovideo backend.

This appears to be a normal cloud video-processing skill, not a local-only video player. Before installing, make sure you are comfortable sending selected video files or URLs to `mega-api-prod.nemovideo.ai` and using a Nemovideo token or anonymous token for processing.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Low

What this means

Videos or media URLs you provide may be uploaded to Nemovideo's cloud service for processing.

Why it was flagged

The skill is designed to send user-provided media to an external cloud video service. This is consistent with the stated cloud rendering purpose, but it is still an important data-flow and tool-use behavior.

Skill content

All calls go to `https://mega-api-prod.nemovideo.ai`... **Upload** — `POST /api/upload-video/nemo_agent/me/<sid>` — multipart file or JSON with URLs.

Recommendation

Only use it with files you are comfortable sending to that provider, and avoid uploading sensitive or private videos unless you trust the service.

#ASI03: Identity and Privilege Abuse

Low

What this means

The skill can act within the permissions and credit limits of the Nemovideo token it uses.

Why it was flagged

The skill uses a bearer token to authenticate with the video backend. This is expected for the integration and there is no evidence that the token is sent anywhere else.

Skill content

Check if `NEMO_TOKEN` is set in the environment... The response `data.token` is your NEMO_TOKEN... **All requests** must include: `Authorization: Bearer <NEMO_TOKEN>`

Recommendation

Use a dedicated or temporary token where possible, and do not share logs or transcripts that might expose the token.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

You have less information to verify who maintains the skill or whether the external service is official.

Why it was flagged

The artifact has limited publisher/provenance information. This does not show malicious behavior, but it reduces the ability to independently verify the provider or project.

Skill content

Source: unknown; Homepage: none

Recommendation

Review the provider domain and terms before sending private media or relying on the service for important work.