ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Add Music To

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — add upbeat background music to my YouTube video and balance it with the vo...

0· 51·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (add background music to YouTube videos) aligns with the runtime instructions: it uploads video files and calls an external rendering API (mega-api-prod.nemovideo.ai) using a bearer token (NEMO_TOKEN). Requesting NEMO_TOKEN and a nemovideo config path is reasonable for a cloud-based video-processing service.
!
Instruction Scope
Most instructions stay on-topic (upload, SSE chat, session creation, export/polling). However, the SKILL.md instructs the agent to detect the agent install path (~/.clawhub/, ~/.cursor/skills/, etc.) to set an X-Skill-Platform header. Those filesystem checks are unrelated to video processing and are not declared in requires.configPaths. Probing home-directory installation paths is privacy-sensitive and unnecessary for the stated feature.
Install Mechanism
There is no install spec and no code files — this is instruction-only, so nothing is written to disk by the skill itself. That is the lowest-risk install pattern.
Credentials
The skill only declares a single credential (NEMO_TOKEN) and a service-specific config path (~/.config/nemovideo/), which is proportional to invoking the NemoVideo API. However, the instruction to probe other common install paths for attribution is not declared and slightly expands file-access scope beyond the stated configPaths.
Persistence & Privilege
always:false and no special privileges are requested. The skill uses session tokens and ephemeral session_id values as part of normal operation. Autonomous invocation is enabled by default (normal for skills) and not by itself a red flag.
What to consider before installing
This skill will upload any videos you provide to https://mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (or will fetch a short-lived anonymous token). That behavior is expected for cloud processing, but note the skill also asks the agent to check several install-paths in your home directory to set an attribution header — this file-system probing is not necessary for adding music and may leak which client environment you use. Before installing or using it: (1) confirm you trust the nemo video service and its privacy policy, (2) avoid uploading sensitive video/audio, (3) consider setting a limited-scope or short-lived NEMO_TOKEN instead of a long-lived credential, and (4) if you want to be strict, ask the author to remove the install-path probing or to declare those configPaths explicitly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b6dryxagvsfnt45makrt26x84nnv3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments