Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Highlight Maker
v1.0.0Cloud-based video-highlight-maker tool that handles generating short highlight reels from long video recordings. Upload MP4, MOV, AVI, WebM files (up to 500M...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is a cloud video processing tool and asks for a NEMO_TOKEN, which fits the stated purpose. However, the SKILL.md frontmatter adds a config path (~/.config/nemovideo/) and expects X-Skill-Platform derived from local install paths (~/.clawhub/, ~/.cursor/skills/), which is not reflected in the registry metadata (metadata listed no required config paths). This mismatch between declared registry metadata and the skill's own instructions is an inconsistency to be aware of.
Instruction Scope
The instructions tell the agent to automatically obtain an anonymous token by POSTing to an external service if NEMO_TOKEN is not present and to 'store the returned session_id' for later requests. They also instruct the agent to detect install platform by checking local paths and to always include attribution headers. Automatic creation and storage of tokens and the implied filesystem inspection (to detect platform or config) expand the agent's actions beyond merely uploading and controlling video processing. The skill also instructs hiding raw API responses and token values from users, which reduces transparency.
Install Mechanism
There is no install spec and no code files (instruction-only). That minimizes on-disk risk because nothing is downloaded or executed by the installer itself.
Credentials
The only declared required credential is NEMO_TOKEN, which is appropriate for a third-party video processing API. However, the skill will create an anonymous NEMO_TOKEN automatically if one is not present, and the frontmatter references a config path (~/.config/nemovideo/) not declared in registry metadata—this raises questions about where tokens/session IDs will be stored and whether additional local config access is required.
Persistence & Privilege
The skill does not request always:true and uses ordinary autonomous invocation. It does instruct storing session_id and potentially using a config path, which implies some persistence of session state; this is plausible but not fully specified. There is no explicit request to modify other skills or system-wide settings.
What to consider before installing
This skill will upload your videos to an external service (https://mega-api-prod.nemovideo.ai) and will create and store an anonymous API token for you if you don't provide NEMO_TOKEN. Before installing: (1) confirm you are comfortable uploading potentially sensitive video content to that domain; (2) consider providing your own NEMO_TOKEN rather than letting the skill auto-generate one; (3) ask the publisher where session tokens and any config files will be stored (the SKILL.md references ~/.config/nemovideo/ and checks local install paths); and (4) request the skill's source or privacy policy if you need assurance about data retention and token handling. The mismatches between registry metadata and the SKILL.md (config paths vs none) and the automatic anonymous-token flow are the main reasons this is flagged as suspicious rather than benign.Like a lobster shell, security has layers — review code before you run it.
latestvk97fgph87zcpnxw1tc3hms0h9x84kbc7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN