ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Editor Ai 4k

v1.0.0

filmmakers and content creators edit raw video footage into 4K edited videos using this skill. Accepts MP4, MOV, AVI, MKV up to 500MB, renders on cloud GPUs...

0· 64·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (AI 4K video editor) aligns with using a cloud rendering API and a single token (NEMO_TOKEN). However the doc claims 4K rendering while the pipeline section specifies H.264 up to 1080x1920 (not 4K), which is a substantive mismatch between advertised capability and the described implementation.
!
Instruction Scope
SKILL.md instructs network calls to nemovideo endpoints (expected) but also describes deriving X-Skill-Platform by inspecting install paths (e.g., ~/.clawhub/, ~/.cursor/skills/) and using YAML frontmatter to build headers. That implies filesystem/agent-path probing outside the declared scope and a degree of hidden behavior ('Keep the technical details out of the chat').
Install Mechanism
Instruction-only skill with no install spec or code files; this minimizes disk-write risk. There is nothing being downloaded or installed by the skill itself.
Credentials
Only NEMO_TOKEN is required, which is reasonable for an API-backed editor. But metadata inside SKILL.md references a config path (~/.config/nemovideo/) while the registry metadata declared no config paths—an inconsistency that could hide additional file access expectations.
Persistence & Privilege
always is false and there is no install or persistent agent modification requested. Autonomous invocation is allowed by default (platform behavior) but the skill does not request elevated persistent privileges.
Scan Findings in Context
[no_matches] expected: The regex-based scanner found nothing to analyze because this is instruction-only (no code files). This absence of matches is expected but provides limited assurance.
What to consider before installing
This skill talks to a nemovideo API and needs a NEMO_TOKEN; do not provide secrets unless you trust the service. Ask the publisher for a homepage or official documentation and clarification about: (1) true output resolution (4K vs 1080p), (2) why a local config path or install-path probing is needed, and (3) whether anonymous token generation is safe. If you proceed, prefer using short-lived anonymous tokens rather than long-lived credentials, monitor outgoing network requests to the listed domain, and avoid exposing unrelated local files or system tokens.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cavhdevmqb3h9bmd3y1an5h84na8v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments