Skillv1.0.0

ClawScan security

Video Trimmer Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 5:24 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (cloud trimming via a Nemo backend) but there are small metadata inconsistencies and it will upload your video files and use/obtain a bearer token from an external service — review privacy, credentials, and the remote domain before installing.
Guidance: This skill will upload your videos and interact with a third‑party API at mega-api-prod.nemovideo.ai. Before installing or using it: (1) Confirm you are comfortable with your video content being sent to that remote service and check their privacy/data retention practices; (2) decide whether to supply your own NEMO_TOKEN (if you have one) or allow the skill to obtain an anonymous token — anonymous tokens have limited lifetime/credits; (3) note the small metadata mismatches (declared config paths and required env var vs. the SKILL.md auto-token flow) — they look like sloppy metadata rather than active malicious behavior, but you may want clarification from the skill author; (4) test with non-sensitive sample videos first; (5) if you need stronger assurance, ask the author for a privacy/security statement, data retention policy, and whether uploads are encrypted in transit and at rest.

Review Dimensions

Purpose & Capability: noteThe skill claims to trim and return videos via a cloud backend and the SKILL.md exclusively describes API calls to a remote 'nemovideo' service — this is consistent with the stated purpose. Minor incoherence: registry metadata declares NEMO_TOKEN as required, but the runtime instructions include a path to automatically obtain an anonymous token if NEMO_TOKEN is absent (so requiring the env var as mandatory is inconsistent). Also the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) whereas the registry header earlier reported no required config paths.
Instruction Scope: noteThe runtime instructions tell the agent to POST to https://mega-api-prod.nemovideo.ai endpoints, create sessions, upload user files (multipart or by URL), stream SSE messages, poll for render status, and return download URLs. All of that is coherent with a cloud video-trimming service. Important privacy/security implication: user video files and session tokens are transmitted to a third-party service. The instructions also direct the agent to read the skill's YAML frontmatter and detect the install path for attribution headers — this is expected but should be noted.
Install Mechanism: okNo install spec and no code files — instruction-only. This is low-risk in terms of writing/executing new code on disk. All runtime behavior is network/API interaction described in SKILL.md.
Credentials: noteOnly one credential is declared (NEMO_TOKEN) which is appropriate for a cloud API. However the SKILL.md both expects to use an existing NEMO_TOKEN and documents how to obtain an anonymous NEMO_TOKEN via an API call when none is present — meaning the env-var requirement as 'required' is inconsistent. The frontmatter also mentions a config path (~/.config/nemovideo/) not reflected in the registry summary. No unrelated credentials are requested.
Persistence & Privilege: okThe skill is not marked always:true and has no install steps that modify other skills or system-wide settings. It requests only an API token for a remote service and session IDs to manage jobs; nothing in the SKILL.md asks to persistently alter the agent or other skills.