Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Magic Light Ai
v1.0.1Got footage that looks flat or poorly lit? magic-light-ai fixes lighting in your videos using cloud-based AI processing. Upload an MP4 or MOV, tell it what y...
⭐ 0· 37·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (video lighting via cloud AI) aligns with the runtime instructions and API endpoints (upload, render, SSE). However the SKILL.md metadata declares a config path (~/.config/nemovideo/) that is not listed in the registry requirements—an inconsistency between declared registry metadata and the embedded YAML.
Instruction Scope
Instructions tell the agent to upload local video files to an external API (expected for this skill) and to send/receive SSE streams and polling calls. The SKILL.md also instructs attribution header values derived from install paths (~/.clawhub, ~/.cursor/skills/) which implies the agent may check the user's home directory to detect platform—this is additional filesystem access beyond merely reading an NEMO_TOKEN and the files the user explicitly uploads. All network calls go to mega-api-prod.nemovideo.ai (no other endpoints), which is consistent with the described service but means user media and metadata are sent off-device.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing is written to disk by an installer as part of the skill package itself, lowering install risk.
Credentials
The skill declares a single primary credential (NEMO_TOKEN) which is proportionate for a cloud service. But the SKILL.md metadata references a config path (~/.config/nemovideo/) that the registry entry did not list; this mismatch should be resolved. The skill can also obtain an anonymous token via an API call if NEMO_TOKEN is absent—so requiring a pre-set NEMO_TOKEN is optional for registered users but should be documented clearly.
Persistence & Privilege
always:false and normal model invocation behavior. The skill does not request permanent system-level privileges or to modify other skills. There is a minor concern that the skill infers an install path for attribution (may check for directories), but it does not request elevated persistent presence.
What to consider before installing
What to consider before installing:
- This skill uploads videos and related metadata to an external domain (mega-api-prod.nemovideo.ai). Don’t upload sensitive or private footage unless you trust the service and its privacy/retention policies.
- The skill expects a NEMO_TOKEN; you can also obtain an anonymous token via the described anonymous-token call. Prefer using a limited-scope or throwaway token rather than a token tied to broader account access.
- SKILL.md references a local config path (~/.config/nemovideo/) and checks common install directories (~/.clawhub, ~/.cursor/skills/) to set an attribution header. Ask the publisher why those paths are needed and whether the skill will inspect your home directory—if you’re uncomfortable, decline installation or sandbox the agent.
- There is no homepage or source URL and the registry record is sparse. If you plan to use this for important work, ask the publisher for: (1) service privacy/retention policy, (2) source or homepage, and (3) clarification about the NEMO_TOKEN vs anonymous-token behavior.
- Because this is instruction-only (no packaged code), the main risks are data exfiltration (your uploaded videos) and accidental token exposure. Only set NEMO_TOKEN in environment variables you control, and rotate/revoke it if you stop using the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk976swx7cvm048f0hbfm9yptf584fm0c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💡 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN