Skillv1.0.0

ClawScan security

Video Compressore Parkside · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 25, 2026, 7:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (cloud video compression) mostly matches its instructions, but there are inconsistencies around credential/config requirements and a few implementation details that don't add up — review before installing or supplying real credentials.
Guidance: This skill will upload whatever video files you send to https://mega-api-prod.nemovideo.ai for cloud processing and expects a NEMO_TOKEN (but can also auto-request an anonymous token). Before installing or using it: 1) Do not provide a long-lived or production NEMO_TOKEN unless you trust the backend — use a disposable/test token if possible. 2) Confirm the backend domain and provider reputation (mega-api-prod.nemovideo.ai) and check privacy/storage/retention policies for uploaded videos. 3) Ask the skill author to clarify the inconsistent metadata (the frontmatter lists ~/.config/nemovideo/ while the registry lists no config paths) and whether the skill will inspect local install paths to derive headers. 4) If you need stronger assurance, request an auditable code path or a provider homepage/terms of service; avoid sending sensitive or private footage until you verify the service.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform cloud video compression and all network endpoints and API actions in SKILL.md align with that purpose. Requesting a NEMO_TOKEN for backend authorization is coherent. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata says no config paths are required — this discrepancy is unexplained.
Instruction Scope: noteInstructions only instruct API calls to mega-api-prod.nemovideo.ai, SSE handling, uploads, polling and download — all expected for a cloud render service. They do tell the agent to derive an X-Skill-Platform header by inspecting install paths (e.g. ~/.clawhub/, ~/.cursor/skills/) which implies reading local install paths; that is marginal scope creep but not obviously malicious. The skill will upload user video files to the specified third-party domain, which is necessary for cloud processing but has privacy implications.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files. That lowers disk-write risk; nothing is downloaded or installed by the skill itself.
Credentials: concernRegistry declares NEMO_TOKEN as a required primary credential which fits a cloud API integration. But SKILL.md also describes an automatic anonymous-token acquisition flow (POST to /api/auth/anonymous-token) when NEMO_TOKEN isn't present, meaning the skill can obtain and use tokens itself. Also the frontmatter mentions a config path (~/.config/nemovideo/) that the registry did not list as required. These inconsistencies about how credentials and local config are used are concerning and should be clarified before providing secrets.
Persistence & Privilege: okalways:false and no install behavior is requested. The skill does not ask to modify other skills or system-wide settings. Autonomous invocation is allowed but is the platform default and not in itself a red flag here.