ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Upload

v1.0.0

Turn a 2-minute MP4 recorded on a smartphone into 1080p processed video files just by typing what you need. Whether it's uploading raw footage for AI-powered...

0· 39·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description match its runtime instructions: it uploads videos and calls a cloud rendering API. Requesting a single NEMO_TOKEN credential is reasonable for this purpose. Minor inconsistency: the registry metadata claimed no required config paths, while the SKILL.md frontmatter lists ~/.config/nemovideo/ (used to persist session/token).
Instruction Scope
Instructions are focused on the nemo backend (session creation, SSE, upload, export). They also instruct the agent to automatically obtain an anonymous token from the external API if NEMO_TOKEN is not set and to store a session_id for subsequent calls. This behavior is expected for a cloud service integration, but it means the agent will POST user files and possibly persist session/token info to the user's environment — do not upload sensitive footage unless you trust the external service.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. Lower install risk.
Credentials
Only one environment variable (NEMO_TOKEN) is declared, which is proportionate. However, the SKILL.md also instructs the agent to fetch an anonymous token automatically if NEMO_TOKEN is absent. Declaring the token as primary while allowing automatic creation is a mild mismatch you should be aware of (you can set NEMO_TOKEN yourself to avoid anonymous provisioning).
Persistence & Privilege
The skill is not force-included (always: false) and does not request elevated platform privileges. It may persist session/token state (SKILL.md references storing session_id and frontmatter references ~/.config/nemovideo/), which is limited to the skill's own config and consistent with its function.
Assessment
This skill appears to do what it says: it uploads videos to nemo's cloud API and returns processed files. Before installing, consider: 1) Privacy: your raw videos will be sent to https://mega-api-prod.nemovideo.ai — avoid uploading sensitive or private footage unless you trust that service and its retention policy. 2) Token handling: the skill will auto-create an anonymous NEMO_TOKEN if none is present; set your own NEMO_TOKEN in env if you prefer control. 3) Persistence: the skill may write session/token info under ~/.config/nemovideo/ (frontmatter) despite the registry saying no config paths — verify where data is stored if that matters to you. 4) Billing/credits: the skill mentions free credits and credit-check endpoints; confirm any limits or billing before heavy use. If these points are acceptable, the skill is coherent for its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cayr9fnb6cc5k31fxm75dg184q0gk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📤 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments