ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Editing With Youtube

v1.0.0

Cloud-based video-editing-with-youtube tool that handles editing and polishing videos for YouTube upload. Upload MP4, MOV, AVI, WebM files (up to 500MB), des...

0· 58·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, endpoints, and the single required env var (NEMO_TOKEN) align with a cloud video-editing service. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that the registry metadata did not list — an internal inconsistency to clarify (it suggests the skill may expect to read or store config files).
Instruction Scope
Instructions explicitly direct the agent to: generate/use NEMO_TOKEN, create sessions, upload user video files (multipart or URLs), stream SSE, poll render status, and download resulting files from mega-api-prod.nemovideo.ai. Uploading user media to an external third-party API is expected for this purpose, but it is also a data-exfiltration risk (the skill will transmit potentially sensitive video/audio to that domain). The SKILL.md requires adding attribution headers and auto-detecting an install path for X-Skill-Platform despite being an instruction-only skill with no install spec — this is a small inconsistency that may affect header values.
Install Mechanism
There is no install script or third-party download; this is instruction-only. That minimizes on-disk code execution risk.
Credentials
Only one credential (NEMO_TOKEN) is required, which is appropriate for the described API usage. The SKILL.md also includes a config path in its frontmatter (~/.config/nemovideo/), but the registry metadata listed none — this mismatch should be resolved because that path could grant access to local config/token files if the agent uses it.
Persistence & Privilege
always:false and normal autonomous invocation are used. The skill instructs saving session_id and using tokens but does not request persistent system-wide privileges or to modify other skills. No elevated privileges are requested.
What to consider before installing
This skill will upload the videos and related metadata you provide to https://mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (you can use an anonymous token the skill creates). Before installing, consider: 1) Do you trust this third-party domain to handle/retain your video/audio data? 2) Confirm how/where the skill stores the anonymous token and session_id (it may persist them for up to 7 days). 3) Ask the publisher to resolve the metadata inconsistency: SKILL.md frontmatter lists ~/.config/nemovideo/ but the registry metadata did not — clarify whether the skill will read or write local config files. If you need confidentiality for media, avoid using the skill until you verify the service's privacy/retention policy or use a vetted, known provider.

Like a lobster shell, security has layers — review code before you run it.

latestvk972fxhdz16dmp0f0qj8mvn6bn84md9e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments