ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Workflow

v1.0.0

edit raw video clips into polished edited clips with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators and marketers use it for...

0· 56·0 current·0 all-time
by@dsewell-583h0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: the skill uploads video files and calls a remote rendering API. Requesting a single NEMO_TOKEN credential is coherent for a cloud video service. However, the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata listed no required config paths — this mismatch is unexplained.
!
Instruction Scope
Runtime instructions explicitly tell the agent to read local file paths (uploads), call multiple endpoints at https://mega-api-prod.nemovideo.ai (auth, upload, SSE, render, export), and poll session state. Uploading user files to a third-party service is intrinsic to the advertised feature, but it is a privacy/exfiltration vector and should be expected. The SKILL.md also instructs the agent to auto-generate an anonymous token (network POST to /api/auth/anonymous-token) if NEMO_TOKEN is missing — this creates network activity even without a pre-provided credential. The metadata/configPaths discrepancy leaves unclear whether the skill will read or write to ~/.config/nemovideo/.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing is written to disk by an installer. This is the lowest install risk, but also means you must trust the instructions and remote endpoints the skill calls.
Credentials
Only a single credential (NEMO_TOKEN) is required, which aligns with a cloud video service. The skill will, however, attempt to acquire an anonymous token via a network call if no token is present — meaning it can operate without an explicit user-provided secret. The presence of the configPaths entry in SKILL.md metadata suggests possible access to a user config directory, which was not declared in the registry and is not justified in the instructions.
Persistence & Privilege
The skill does not request always:true and does not declare elevated platform privileges. Autonomous invocation is allowed (platform default). There is a small concern that the frontmatter implies a config path that could be used to persist tokens or config under ~/.config/nemovideo/ — the SKILL.md does not clearly state whether it will store the anonymous token locally.
What to consider before installing
This skill appears to do what it says (upload your videos to a cloud service, edit them, and return a downloadable file), but take these precautions before installing or using it: - Expect your local video files to be uploaded to https://mega-api-prod.nemovideo.ai. Do not upload sensitive or private footage until you trust the service and its privacy/retention policies. - The skill will accept a NEMO_TOKEN if you provide one, but if you don't it will request an anonymous token from the service automatically; this means the skill will make outbound network calls even without you supplying credentials. - The SKILL.md metadata mentions a config path (~/.config/nemovideo/) that is not declared elsewhere — ask the publisher whether the skill reads/writes files there and how tokens are stored or persisted. - Because this is an instruction-only skill (no code shipped, no repo/source provided), you must trust the documented API endpoints and behavior. If possible, ask for the service homepage, privacy policy, or source code; verify the domain and ownership of nemovideo.ai. - Test with a short, non-sensitive clip first to confirm behavior and outputs. If the publisher can confirm (a) whether tokens are ever stored locally and where, (b) provide a privacy/retention policy for uploaded media, and (c) reconcile the configPaths metadata, my confidence in this assessment would increase.

Like a lobster shell, security has layers — review code before you run it.

latestvk97686x7htcw24fa3bzt03erqn84nspn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments