ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jpeng Video

v1.0.0

convert raw video footage into compressed MP4 files with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators use it for compressin...

0· 55·0 current·0 all-time
by@dsewell-583h0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description claim cloud video compression and the SKILL.md instructs use of a single service (mega-api-prod.nemovideo.ai) and a NEMO_TOKEN — that is coherent. However the SKILL.md metadata lists a config path (~/.config/nemovideo/) even though the registry metadata lists 'Required config paths: none', creating a mismatch between declared requirements and the runtime instructions.
!
Instruction Scope
Runtime instructions perform network operations (session creation, SSE chat, uploads, export polling) which are expected for a cloud render service, but they also instruct the agent to: read this file's YAML frontmatter at runtime, detect install path by probing user paths (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform, and reference a local config path in metadata. Those filesystem probes go beyond just uploading a user-supplied video and increase the skill's read-scope on the agent environment.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest install risk.
Credentials
The skill only requires a single credential (NEMO_TOKEN), which is appropriate for a third‑party API. The SKILL.md also describes obtaining an anonymous token via an API call if NEMO_TOKEN is not present. Still, the metadata/config-path mismatch (SKILL.md claims a config path but registry shows none) is unexplained and worth verifying.
Persistence & Privilege
always:false and normal autonomy settings. The skill does not request permanent 'always' presence or other skills' credentials, so it does not demand elevated persistence.
What to consider before installing
This skill appears to be a cloud-based video compressor that uploads your files to mega-api-prod.nemovideo.ai and uses a single API token (NEMO_TOKEN). Before installing or invoking it: (1) confirm you trust the nemovideo domain and its privacy policy — uploaded videos will leave your machine; (2) avoid sending sensitive or private footage unless you’ve verified the service; (3) verify the registry metadata vs. SKILL.md (SKILL.md mentions ~/.config/nemovideo/ and probing install paths) and ask the publisher why that path is needed; (4) be aware the skill will read its own frontmatter and check common directories to set attribution headers (these are modest filesystem reads but worth noting); (5) prefer providing an explicit, limited token for this service rather than sharing broader credentials. If you want higher assurance, request the skill's publisher/source code or ask them to remove the config-path and install-path probes.

Like a lobster shell, security has layers — review code before you run it.

latestvk974x61a4rzhe1n988t69f2mvx84n1ks

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎞️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments