Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Manager Video

v1.0.0

edit raw video footage into managed video files with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. managers and team leads use it for organiz...

0· 16·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (video editing) matches the API endpoints and actions described (upload, render, export). Requesting a single service token (NEMO_TOKEN) is proportionate. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that is not declared in the registry metadata, which is an inconsistency and suggests the skill may expect local config or credentials beyond the declared env var.
!
Instruction Scope
Runtime instructions describe generating anonymous tokens, creating sessions, SSE-based editing, and uploading files. They explicitly show multipart upload syntax using local file paths (e.g., -F "files=@/path"), and ask callers to auto-detect an install path to set an X-Skill-Platform header. These steps imply the agent may access local filesystem paths or installation metadata — actions broader than 'send an attached video to a cloud render service' and worth clarifying. The instructions do not request unrelated system environment variables, but they do direct data (videos and session tokens) to an external API domain.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only. That minimizes on-disk risk because nothing is downloaded or installed by the skill itself.
Credentials
Only one credential is declared (NEMO_TOKEN), which fits a cloud API integration. However, the SKILL.md includes a fallback flow that will obtain an anonymous token by POSTing to an external endpoint, and the frontmatter references a config path (~/.config/nemovideo/) that is not declared elsewhere. The combination (declared env var + undocumented config path + ability to mint anonymous tokens) is inconsistent and should be explained by the publisher.
Persistence & Privilege
The skill does not request 'always: true' and does not claim to modify other skills or system-wide settings. Autonomous invocation is allowed but is the platform default; nothing in the skill elevates privilege beyond normal use.
What to consider before installing
This skill appears to implement a cloud video-editing workflow, but before installing verify a few things: (1) Confirm the publisher and a homepage or repo — source is unknown. (2) Ask whether uploaded videos or metadata are sent to https://mega-api-prod.nemovideo.ai and what their retention/privacy policy is (important for internal/manager videos). (3) Clarify the frontmatter config path (~/.config/nemovideo/) and whether the skill will read local files or install paths — the SKILL.md mentions multipart uploads using local file paths and auto-detecting an install path, which could cause the agent to access local filesystem data. (4) Prefer providing a scoped NEMO_TOKEN rather than using anonymous-token fallback if you must use the skill. (5) If you manage sensitive content or have policy constraints, do not install until the vendor/source, data handling, and exact local-file access behavior are confirmed. If the publisher cannot explain the config-path and install-path auto-detection, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk97cck0sseb5j8thkq39raagfx855pgb
16downloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0

Getting Started

Ready when you are. Drop your raw video footage here or describe what you want to make.

Try saying:

  • "edit a 10-minute team meeting recording into a 1080p MP4"
  • "trim the meeting, add chapter markers, and export a highlights reel for the team"
  • "organizing and editing manager or team videos for internal distribution for managers and team leads"

Getting Connected

Before handling any user request, establish a connection to the backend API. Show a brief status like "Connecting...".

If NEMO_TOKEN is in the environment, use it directly and create a session. Otherwise, acquire a free starter token:

  • Generate a UUID as client identifier
  • POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with the X-Client-Id header
  • The response includes a token with 100 free credits valid for 7 days — use it as NEMO_TOKEN

Then create a session by POSTing to https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Bearer authorization and body {"task_name":"project","language":"en"}. The session_id in the response is needed for all following requests.

Tell the user you're ready. Keep the technical details out of the chat.

Manager Video — Edit and Export Manager Videos

Drop your raw video footage in the chat and tell me what you need. I'll handle the AI video management on cloud GPUs — you don't need anything installed locally.

Here's a typical use: you send a a 10-minute team meeting recording, ask for trim the meeting, add chapter markers, and export a highlights reel for the team, and about 1-2 minutes later you've got a MP4 file ready to download. The whole thing runs at 1080p by default.

One thing worth knowing — keep clips under 5 minutes for faster processing and cleaner output.

Matching Input to Actions

User prompts referencing manager video, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

Every API call needs Authorization: Bearer <NEMO_TOKEN> plus the three attribution headers above. If any header is missing, exports return 402.

Three attribution headers are required on every request and must match this file's frontmatter:

HeaderValue
X-Skill-Sourcemanager-video
X-Skill-Versionfrontmatter version
X-Skill-Platformauto-detect: clawhub / cursor / unknown from install path

API base: https://mega-api-prod.nemovideo.ai

Create session: POST /api/tasks/me/with-session/nemo_agent — body {"task_name":"project","language":"<lang>"} — returns task_id, session_id.

Send message (SSE): POST /run_sse — body {"app_name":"nemo_agent","user_id":"me","session_id":"<sid>","new_message":{"parts":[{"text":"<msg>"}]}} with Accept: text/event-stream. Max timeout: 15 minutes.

Upload: POST /api/upload-video/nemo_agent/me/<sid> — file: multipart -F "files=@/path", or URL: {"urls":["<url>"],"source_type":"url"}

Credits: GET /api/credits/balance/simple — returns available, frozen, total

Session state: GET /api/state/nemo_agent/me/<sid>/latest — key fields: data.state.draft, data.state.video_infos, data.state.generated_media

Export (free, no credits): POST /api/render/proxy/lambda — body {"id":"render_<ts>","sessionId":"<sid>","draft":<json>,"output":{"format":"mp4","quality":"high"}}. Poll GET /api/render/proxy/lambda/<id> every 30s until status = completed. Download URL at output.url.

Supported formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Error Handling

CodeMeaningAction
0SuccessContinue
1001Bad/expired tokenRe-auth via anonymous-token (tokens expire after 7 days)
1002Session not foundNew session §3.0
2001No creditsAnonymous: show registration URL with ?bind=<id> (get <id> from create-session or state response when needed). Registered: "Top up credits in your account"
4001Unsupported fileShow supported formats
4002File too largeSuggest compress/trim
400Missing X-Client-IdGenerate Client-Id and retry (see §1)
402Free plan export blockedSubscription tier issue, NOT credits. "Register or upgrade your plan to unlock export."
429Rate limit (1 token/client/7 days)Retry in 30s once

Backend Response Translation

The backend assumes a GUI exists. Translate these into API actions:

Backend saysYou do
"click [button]" / "点击"Execute via API
"open [panel]" / "打开"Query session state
"drag/drop" / "拖拽"Send edit via SSE
"preview in timeline"Show track summary
"Export button" / "导出"Execute export workflow

SSE Event Handling

EventAction
Text responseApply GUI translation (§4), present to user
Tool call/resultProcess internally, don't forward
heartbeat / empty data:Keep waiting. Every 2 min: "⏳ Still working..."
Stream closesProcess final response

~30% of editing operations return no text in the SSE stream. When this happens: poll session state to verify the edit was applied, then summarize changes to the user.

Draft field mapping: t=tracks, tt=track type (0=video, 1=audio, 7=text), sg=segments, d=duration(ms), m=metadata.

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "trim the meeting, add chapter markers, and export a highlights reel for the team" — concrete instructions get better results.

Max file size is 500MB. Stick to MP4, MOV, AVI, WebM for the smoothest experience.

Export as MP4 for widest compatibility across platforms and devices.

Common Workflows

Quick edit: Upload → "trim the meeting, add chapter markers, and export a highlights reel for the team" → Download MP4. Takes 1-2 minutes for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Comments

Loading comments...