ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Editing Software

v1.0.0

Turn raw footage into share-ready videos without spending hours in a timeline. This skill brings the power of ai-video-editing-software directly into your wo...

0· 37·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (AI video editing) align with the runtime instructions which call a cloud rendering/transcription API and accept uploads. However the registry metadata provided earlier lists no config paths while the SKILL.md frontmatter includes configPaths (~/.config/nemovideo/) — a mismatch worth noting. The skill's requirement of a single token (NEMO_TOKEN) is coherent with a cloud API-backed editor.
Instruction Scope
SKILL.md instructs the agent to: use NEMO_TOKEN or obtain an anonymous token by POSTing to https://mega-api-prod.nemovideo.ai, create sessions, upload files (multipart or by URL), and poll render status. These steps are expected for a cloud video-editing workflow. It will transmit user video files and edit drafts to an external service, and it inspects install/config paths to set an X-Skill-Platform header — the file-system inspection and outbound data transfer are within the skill's stated purpose but have privacy implications.
Install Mechanism
This is instruction-only with no install spec or code files, so nothing is written to disk by an installer. That reduces surface area; all network interactions occur at runtime as described in SKILL.md.
Credentials
The skill requires a single credential (NEMO_TOKEN) which is proportionate for a cloud API client. Minor inconsistency: registry metadata earlier listed no required config paths, while SKILL.md frontmatter declares configPaths [~/.config/nemovideo/]. The skill also autodetects install path(s) (~/.clawhub/, ~/.cursor/skills/) to set an attribution header — reading those paths is not strictly necessary for core editing functions and could leak environment details.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. Autonomous invocation is allowed (platform default) but not combined with elevated privileges. The skill does require runtime network access and will create transient sessions with the external API.
What to consider before installing
This skill appears to do what it says (cloud-based AI video editing) but it will upload your video files and metadata to https://mega-api-prod.nemovideo.ai and may read install/config paths to set attribution headers. The publisher/source and homepage are unknown and registry metadata disagrees with the SKILL.md about config paths. Before installing: 1) Decide whether you trust the external service with your media—do not upload sensitive or private footage. 2) Prefer providing your own NEMO_TOKEN from a known account rather than relying on the skill to obtain an anonymous token. 3) Ask the publisher for a homepage/privacy policy and confirmation of where data is stored/retention/processing. 4) If you must test, use non-sensitive sample footage first. If the publisher cannot provide clear provenance and a privacy policy, treat the skill as higher risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk971qarcy6sq7k39hk561v4t8x8426kt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments