Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Online Ai Video Editor
v1.0.0Tell me what you need and I'll help you edit, transform, and polish your videos using AI — no software downloads required. This online-ai-video-editor skill...
⭐ 0· 32·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's requested credential (NEMO_TOKEN) and described cloud API (nemovideo.ai) are consistent with an online video editor. However the YAML frontmatter includes a configPaths entry (~/.config/nemovideo/) even though the registry metadata lists no required config paths — this mismatch is incoherent and could indicate the skill expects to read or write local config despite claiming none are required.
Instruction Scope
Runtime instructions include automatic network calls (creating anonymous tokens and sessions) and say to 'store the returned session_id' and to detect the agent install path (checking ~/.clawhub/ and ~/.cursor/skills/) to set X-Skill-Platform headers. That requires reading the filesystem and making outbound requests on first use; it also tells the agent to avoid showing raw API responses or token values. These are plausible for a cloud editor, but they broaden scope (automatic credential creation, filesystem probing) beyond simply 'edit this video' and should be disclosed to users.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — the lowest-risk install model. There is no package download or archive extraction.
Credentials
Only one environment variable (NEMO_TOKEN) is declared as primary, which fits the described API usage. However, the instructions also provide a way to auto-generate an anonymous token if NEMO_TOKEN is missing, making the declared 'required' status ambiguous. The frontmatter's configPaths entry (not reflected in registry 'Required config paths') raises questions about whether local config or credentials might be read or written.
Persistence & Privilege
always:false and no install steps are good. The skill instructs storing session_id and tokens for subsequent requests but doesn't specify where (in-memory vs on-disk). The frontmatter hint at ~/.config/nemovideo/ suggests possible local persistence; this should be clarified before trusting the skill with long-lived credentials or sensitive content.
What to consider before installing
What to consider before installing: 1) This skill will call https://mega-api-prod.nemovideo.ai and will upload video files to a third-party cloud service — do not use it for sensitive footage unless you trust that service's privacy policy. 2) It declares NEMO_TOKEN but also auto-creates anonymous tokens via the API if none is provided; decide whether you want to supply your own token (for a paid/accounted session) or let it obtain anonymous credentials. 3) The skill asks the agent to detect install paths and references a local config directory in its frontmatter (inconsistency with registry metadata) — ask the author to clarify whether any local files or config will be read/written and where session tokens are stored. 4) No install files are present (instruction-only), but because it makes outbound network calls and can upload files, run it in an environment you control if you need to audit traffic or prevent persistent tokens. 5) If you require stronger assurance: request the skill's source code or a privacy/security policy for the backend, or use a well-known video-processing provider with published docs instead.Like a lobster shell, security has layers — review code before you run it.
latestvk975b1rvgvbsp07ps3yyf4myzn842dx5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN