ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Editor Download

v1.0.0

Turn a 2-minute unedited screen recording into 1080p edited MP4 files just by typing what you need. Whether it's editing and downloading polished videos with...

0· 37·0 current·0 all-time
by@dsewell-583h0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md describes uploading videos to a nemo-video backend and exporting edited MP4s, and the skill requires a NEMO_TOKEN which is appropriate for that service. However, the SKILL.md frontmatter lists a configPaths entry (~/.config/nemovideo/) while the registry metadata above claims no required config paths — this mismatch should be clarified.
!
Instruction Scope
Instructions call for uploading local files or URLs to https://mega-api-prod.nemovideo.ai, creating/using a session token, sending SSE messages, polling render endpoints, and storing session_id for subsequent requests — all expected for a cloud render service. Concerning points: the skill instructs detecting an 'install path' (e.g. ~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform headers and references a config path in YAML frontmatter; that implies reading filesystem locations for platform/config detection which is broader than strictly needed to edit a single uploaded video. The skill also instructs not to display raw API responses or tokens, which is fine but increases the risk that token handling/persistence is opaque to the user.
Install Mechanism
There is no install spec and no code files — this is instruction-only. That reduces risk because nothing new is written to disk by an installer.
Credentials
Only one credential (NEMO_TOKEN) is declared as required and it directly maps to the backend service the skill uses. The instructions even provide a fallback anonymous-token flow so a user-provided token is not mandatory. No unrelated secrets or large set of env vars are requested.
Persistence & Privilege
always:false and normal autonomous invocation are used (no forced always-on privilege). The skill tells the agent to 'store the returned session_id for all subsequent requests' but doesn't specify storage scope (memory vs persistent disk). Clarify whether tokens/session_ids are persisted across agent restarts and where they're stored.
What to consider before installing
This skill appears to do what it claims (upload your video to a NemoVideo backend and return an edited MP4) and only needs a NEMO_TOKEN. Before installing or using it, consider: (1) Privacy: your raw footage will be uploaded to https://mega-api-prod.nemovideo.ai — do not upload sensitive/confidential content unless you trust that service and have reviewed its privacy terms. (2) Metadata mismatch: the SKILL.md references a config path (~/.config/nemovideo/) and asks the agent to detect install paths — ask the author to clarify what filesystem reads the skill performs and whether any local files are accessed. (3) Token storage: confirm whether session tokens are stored persistently and where; prefer ephemeral/in-memory storage if you are concerned about credential persistence. (4) Verify the service/domain independently (nemovideo.ai) since the skill source and homepage are unknown. If any of these are unacceptable, do not install or only use with non-sensitive test videos.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c0b6s4fva9nqka0xqnxwqgx84staz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments