ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Free Video Editor Ab2n 0330

v1.0.0

Drop a video and describe exactly what you want done — trim, cut, merge, or reformat without relying on AI-generated content or cloud AI processing. This ai-...

0· 41·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The public description emphasizes "without cloud AI processing" and deterministic/local edits, but the SKILL.md requires connecting to a NemoVideo cloud API (mega-api-prod.nemovideo.ai) for all editing operations and for session management. Requiring a cloud token (NEMO_TOKEN) and remote uploads is inconsistent with the 'no cloud' claim.
!
Instruction Scope
Runtime instructions instruct the agent to read/create ~/.config/nemovideo/client_id, POST to an anonymous-token endpoint if no NEMO_TOKEN is present, upload video files (multipart or URL) to the remote API, open SSE endpoints, and return links containing tokens. The file write/read is partly declared but the instructions also say to detect install path(s) (e.g. ~/.clawhub/, ~/.cursor/skills/) which is not listed in required configPaths. The skill will transmit user video blobs and tokens to the NemoVideo backend — expected for a cloud editor but at odds with the skill's marketed "AI-free/no-cloud" stance.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or written by an installer. The only filesystem side-effect described is creating/reading ~/.config/nemovideo/client_id which is declared in metadata.
Credentials
The skill requests a single credential (NEMO_TOKEN) as its primary credential, which is proportionate for a cloud API client. However: (1) If no token is provided it will acquire an anonymous token automatically, and (2) it suggests embedding tokens in shareable links (token as URL parameter), which risks leaking credentials. Confirm token scope and lifetime before use.
Persistence & Privilege
The skill does not request 'always' or system-wide privileges. It does instruct creating/reading a per-user config file (~/.config/nemovideo/client_id) and checking common install paths to set an attribution header; these are limited, but the install-path detection touches other user directories that were not explicitly declared.
What to consider before installing
This skill is inconsistent: it markets itself as "AI-free" and not using cloud processing but the SKILL.md sends videos and commands to a NemoVideo cloud API and needs a NEMO_TOKEN. Before installing: (1) Decide whether you are comfortable uploading your videos to nemovideo.com and having session tokens issued/stored; (2) Verify NemoVideo's privacy/retention policy and token scopes; (3) Prefer providing your own NEMO_TOKEN rather than relying on the anonymous-token flow if you need auditability; (4) Be aware the skill may write ~/.config/nemovideo/client_id and will construct shareable URLs that may include tokens — avoid sharing those URLs; (5) If you expected an offline/local editor, do not install this skill. If you still want it, review the network calls and where tokens/links are stored to ensure they meet your privacy requirements.

Like a lobster shell, security has layers — review code before you run it.

latestvk9793nhha4j1v0tfvbpb27atj183xw1c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments