ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Rtk Compressor

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — compress this RTK video file to under 500MB without losing quality — and g...

0· 53·0 current·0 all-time
by@dsewell-583h0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to compress/upload video via a cloud backend and all described API endpoints and actions align with that purpose. Requesting a NEMO_TOKEN to authenticate with the backend is appropriate. However, the frontmatter and registry metadata mismatch: the SKILL.md includes a configPaths entry (~/.config/nemovideo/) but the registry metadata earlier listed no required config paths; this inconsistency should be clarified.
Instruction Scope
Instructions are mainly limited to interacting with the remote nemovideo.ai API (session creation, SSE chat, upload, export) which is in-scope. They also instruct: (1) creating an anonymous token if NEMO_TOKEN isn't present, (2) including attribution headers and detecting the agent install path (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform, and (3) reading YAML frontmatter for version. Reading the agent install path and frontmatter is benign but expands scope beyond pure upload/encode actions and could reveal local environment details; the skill doesn't explicitly say whether it will persist tokens or write to ~/.config/nemovideo/.
Install Mechanism
This is an instruction-only skill with no install spec or added binaries, so there is no download/extract risk. That lowers disk-write and supply-chain risk.
!
Credentials
The registry lists NEMO_TOKEN as a required env var and the frontmatter marks it as primaryEnv, which is proportional for a cloud video service. However, SKILL.md also instructs the agent to automatically request an anonymous token if NEMO_TOKEN is not found (and the frontmatter includes a configPaths entry). This is a mismatch: the skill both requires an env var and contains logic to generate one. It's unclear whether the generated anonymous token is stored locally (e.g., under ~/.config/nemovideo/) or kept only in memory; persistent storage would increase risk. Also the skill will read install paths to set attribution headers — that reveals filesystem layout.
Persistence & Privilege
always is false and the skill does not request elevated persistent privileges. However, the presence of configPaths in the frontmatter suggests it may write/read under ~/.config/nemovideo/ (not declared elsewhere); clarify whether the skill will store tokens or state on disk. Autonomous invocation is allowed (normal) and not a standalone concern here.
What to consider before installing
This skill appears to do what it says (upload video to a cloud compressor) but has a few inconsistencies you should clear up before installing: 1) The registry declares NEMO_TOKEN as required, but the instructions also generate an anonymous NEMO_TOKEN if none is present — ask whether the skill will persist that token to disk (e.g., ~/.config/nemovideo/) or keep it only in memory. Persistent storage would increase risk. 2) The skill will read the agent's install path and YAML frontmatter to set X-Skill-Platform/version headers — this reveals some local environment details; confirm exactly which paths are read. 3) All uploads go to a third-party domain (mega-api-prod.nemovideo.ai); verify you trust that service and its privacy policy because uploaded video content may include sensitive data. Recommendations before use: do not set any high-privilege credentials as NEMO_TOKEN, test the skill in a sandboxed environment with non-sensitive videos first, ask the author to clarify the configPath usage and token persistence behavior, and if possible review network traffic or logs to confirm tokens are not exfiltrated to unexpected endpoints. If the author confirms no tokens are stored on disk and configPaths are unused, and the only credential is a limited anonymous token, the inconsistencies become less concerning.

Like a lobster shell, security has layers — review code before you run it.

latestvk970zmnxptap34n6zjppqt290s84pm2b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗜️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments