ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Best With Ai

v1.0.0

Get AI-polished videos ready to post, without touching a single slider. Upload your raw video footage (MP4, MOV, AVI, WebM, up to 500MB), say something like...

0· 50·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (AI video editing) aligns with the endpoints and actions described (upload, render, export). Requiring a NEMO_TOKEN is consistent with a cloud service. However, the SKILL.md frontmatter metadata lists a config path (~/.config/nemovideo/) while the registry summary lists no required config paths — this mismatch is unexplained and could imply undeclared filesystem access.
Instruction Scope
The runtime instructions are explicit about network calls: obtaining an anonymous token, creating a session, uploading user media, streaming SSE events, polling render status, and returning download URLs. Those actions are consistent with a cloud-rendering video editor, but they will send user video/audio to an external domain (mega-api-prod.nemovideo.ai). The instructions also require deriving and sending attribution headers based on install path, which implies the agent will query filesystem installation locations; that filesystem access is not declared elsewhere.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing will be written to disk by an installer. That lowers install-time risk.
Credentials
Only one credential (NEMO_TOKEN) is declared as required and is used in the described API calls — this is proportional for a cloud editing service. However, the SKILL.md also describes generating/storing anonymous tokens and session IDs at runtime and references a config path in frontmatter; requesting filesystem config access in metadata without declaring it in the registry is inconsistent.
Persistence & Privilege
The skill does not request always: true and does not include an install that modifies other skills or agent-wide settings. It instructs storing session_id and transient tokens for API use, which is normal for a cloud-session workflow.
What to consider before installing
This skill appears to be a cloud-based video editor that uploads your media to mega-api-prod.nemovideo.ai and uses a NEMO_TOKEN for authorization. Before installing: (1) confirm you trust the external service and its privacy policy because your raw videos will be transmitted off-device; (2) be aware the skill will generate and store anonymous tokens and session IDs if you don't provide NEMO_TOKEN — if you prefer control, set your own NEMO_TOKEN in the environment; (3) note the SKILL.md metadata references a config path (~/.config/nemovideo/) while the registry shows none — ask the publisher what that path is used for and whether the skill will read/write files there; (4) the skill's source/homepage are missing — prefer skills with a verifiable homepage or publisher. These inconsistencies justify caution; if you need higher assurance, request the publisher's documentation or a reproducible provenance before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b2f1jzpewnn0fazn1xwpa3984m7fg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments