ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Editor Youtube

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — cut dead air, add transitions, and export ready for YouTube upload — and g...

0· 47·0 current·0 all-time
by@dsewell-583h0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill requests a single credential (NEMO_TOKEN) and calls a video-rendering API — this is consistent with an AI video editor. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata earlier said no required config paths; that inconsistency should be clarified by the author.
Instruction Scope
Instructions stay within video-editing scope (create session, upload files, SSE for editing, render/export). They do require uploading users' raw video files and sending tokens/session IDs to https://mega-api-prod.nemovideo.ai. The doc also asks to auto-detect an install path to set X-Skill-Platform headers, which could require filesystem/agent context; this is not clearly explained.
Install Mechanism
No install spec and no code files (instruction-only), so nothing will be downloaded or written by an installer. This minimizes install-time risk.
Credentials
Only NEMO_TOKEN is required (primaryEnv), which is proportionate for a cloud video service. Still: the token grants access to an external API that will receive user files. The service domain and absence of a public homepage/source make it harder to verify what that token grants. Also frontmatter/configPath mismatch raises questions about whether the agent might attempt to read local config files.
Persistence & Privilege
The skill does not request always:true and has no install-time persistence. Autonomous invocation (disable-model-invocation:false) is normal platform behavior and not in itself flagged.
What to consider before installing
This skill appears to actually perform cloud video edits, but review before installing: (1) The upstream API domain (mega-api-prod.nemovideo.ai) has no listed homepage/source — verify the vendor and privacy policy. (2) The skill will upload your raw videos and use a NEMO_TOKEN to access the service; only provide a token if you trust the service. Prefer short-lived/anonymous tokens or testing with non-sensitive videos first. (3) Ask the author to clarify the config-path mention (~/.config/nemovideo/) because registry metadata conflicts with the SKILL.md. (4) If you proceed, monitor and be prepared to revoke the token/credentials if you see unexpected activity.

Like a lobster shell, security has layers — review code before you run it.

latestvk978r47sn2bbxmfkwy0we5ngtn84n8dz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments