Ai Video Editor Opus Clip
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: ai-video-editor-opus-clip Version: 1.0.0 The skill is a functional wrapper for a cloud-based video editing service (nemovideo.ai). It defines standard API interactions for authentication, file uploads, and video rendering. Security-wise, it includes explicit instructions in SKILL.md for the AI agent to avoid printing sensitive tokens or raw JSON to the user, and its data access is limited to its own configuration directory (~/.config/nemovideo/) and the NEMO_TOKEN environment variable required for its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users have less provenance information before trusting the skill with media uploads or service tokens.
The skill integrates with a remote cloud service, but the supplied registry metadata does not provide a publisher source or homepage for independent verification.
Source: unknown; Homepage: none
Verify the provider/domain and publisher through other trusted channels before uploading sensitive videos or using a valuable token.
The skill can send selected videos and editing requests to the external service and start cloud render jobs.
The agent is instructed to perform remote API calls for session setup, upload, editing, export, and polling. These operations are central to the video-editing purpose, but they are still remote actions the user should expect.
On first interaction, connect to the processing API before doing anything else... Upload: POST `/api/upload-video/nemo_agent/me/<sid>` ... Export: POST `/api/render/proxy/lambda`
Use the skill only for files you intentionally want processed by the cloud service, and review upload/export actions for sensitive or paid work.
Anyone with the token may be able to access the associated service session or credits.
The skill uses a bearer token for the NemoVideo API. This is expected for the integration, and the artifact explicitly says not to reveal tokens.
Include `Authorization: Bearer <NEMO_TOKEN>` ... on every request ... Confirm to the user you're connected and ready. Don't print tokens or raw JSON.
Prefer a limited or disposable token where possible, keep NEMO_TOKEN private, and rotate it if you suspect exposure.
Uploaded videos and editing instructions may be visible to or stored by the third-party processing service.
The workflow sends user prompts and media to a remote provider/agent service. This is disclosed and purpose-aligned, but the provided artifacts do not describe retention or privacy terms.
The AI clip extraction runs on remote GPU nodes... Send message (SSE): POST `/run_sse` ... Upload: POST `/api/upload-video/nemo_agent/me/<sid>`
Do not upload confidential recordings unless the provider's privacy and retention practices meet your needs.
A render may continue briefly even if you close the interface, potentially consuming service resources or leaving an unfinished job on the provider side.
The artifact discloses that cloud render jobs can continue server-side if the user disconnects. This is bounded cloud-render behavior, not hidden local persistence.
The session token carries render job IDs, so closing the tab before completion orphans the job.
Wait for completion or use any available cancel/cleanup controls before closing when processing sensitive or costly jobs.