Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Youtube Video

v1.0.0

edit raw video footage into YouTube-ready videos with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. YouTubers use it for editing and optimizi...

0· 29·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is an instruction-only video-editing frontend that talks to nemo-video cloud endpoints — that aligns with the name/description. However the manifest declares NEMO_TOKEN as a required environment variable while the runtime instructions also describe automatically obtaining an anonymous token if NEMO_TOKEN is absent. This mismatch (declared required vs. auto-provisioning) is inconsistent and should be clarified.
!
Instruction Scope
Runtime instructions instruct the agent to (a) POST to external nemo-api endpoints to mint tokens and create sessions, (b) store returned session_id and tokens for subsequent requests, (c) detect the agent install path to set an attribution header, and (d) explicitly hide raw API responses and token values from the user. Storing tokens and probing filesystem paths expands scope beyond just forwarding files and edits; instructing the agent to hide token values is unusual and reduces transparency for users.
Install Mechanism
This is an instruction-only skill (no install spec and no code files), so nothing is written to disk by an install process. That is the lowest-risk install model.
!
Credentials
Only NEMO_TOKEN is requested which is appropriate for a third-party video API. But metadata also lists a config path (~/.config/nemovideo/) and the skill instructs storing session tokens; combined with the required-but-optional credential flow this is disproportionate or at least inconsistent. The skill does not request unrelated credentials, which is good.
Persistence & Privilege
The skill asks the agent to persist session IDs/tokens (implied config storage). It does not request always:true and does not modify other skills or system-wide settings. Persisting tokens is a legitimate behavior for session continuity but increases persistence and should be transparent to the user.
What to consider before installing
This skill appears to do what it says (calls a nemovideo cloud API to edit videos), but there are a few red flags to address before installing: 1) Clarify the credential flow — the manifest marks NEMO_TOKEN as required but the instructions will auto-create an anonymous token if it's missing. Decide whether you want to provide your own token or let the skill create one. 2) Ask where session tokens are stored (the skill references ~/.config/nemovideo/) and verify file permissions and retention; if you’re uncomfortable, run it without persistent storage or clear the config after use. 3) The instructions tell the agent to hide raw API responses and token values from the user — ask the publisher why and insist on transparency for debugging and security. 4) Consider privacy: any uploaded video will be sent to https://mega-api-prod.nemovideo.ai; avoid uploading sensitive content until you trust the service. 5) If you must proceed, test with non-sensitive sample videos and monitor network activity; prefer supplying your own, revokable token and remove any stored session files when done. If you cannot get satisfactory answers from the publisher, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk972fdbzt37e25qfmbmafxxxtd8548d9
29downloads
0stars
1versions
Updated 19h ago
v1.0.0
MIT-0

Getting Started

Share your raw video footage and I'll get started on AI video optimization. Or just tell me what you're thinking.

Try saying:

  • "edit my raw video footage"
  • "export 1080p MP4"
  • "trim silences, add subtitles, and optimize"

First-Time Connection

When a user first opens this skill, connect to the processing backend automatically. Briefly let them know (e.g. "Setting up...").

Authentication: Check if NEMO_TOKEN is set in the environment. If it is, skip to step 2.

  1. Obtain a free token: Generate a random UUID as client identifier. POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with header X-Client-Id set to that UUID. The response data.token is your NEMO_TOKEN — 100 free credits, valid 7 days.
  2. Create a session: POST to https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Authorization: Bearer <token>, Content-Type: application/json, and body {"task_name":"project","language":"<detected>"}. Store the returned session_id for all subsequent requests.

Keep setup communication brief. Don't display raw API responses or token values to the user.

AI YouTube Video — Edit and Export YouTube Videos

This tool takes your raw video footage and runs AI video optimization through a cloud rendering pipeline. You upload, describe what you want, and download the result.

Say you have a 10-minute raw YouTube vlog recording and want to trim silences, add subtitles, and optimize for YouTube upload — the backend processes it in about 1-2 minutes and hands you a 1080p MP4.

Tip: keeping clips under 5 minutes speeds up processing significantly.

Matching Input to Actions

User prompts referencing ai youtube video, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

Headers are derived from this file's YAML frontmatter. X-Skill-Source is ai-youtube-video, X-Skill-Version comes from the version field, and X-Skill-Platform is detected from the install path (~/.clawhub/ = clawhub, ~/.cursor/skills/ = cursor, otherwise unknown).

Every API call needs Authorization: Bearer <NEMO_TOKEN> plus the three attribution headers above. If any header is missing, exports return 402.

API base: https://mega-api-prod.nemovideo.ai

Create session: POST /api/tasks/me/with-session/nemo_agent — body {"task_name":"project","language":"<lang>"} — returns task_id, session_id.

Send message (SSE): POST /run_sse — body {"app_name":"nemo_agent","user_id":"me","session_id":"<sid>","new_message":{"parts":[{"text":"<msg>"}]}} with Accept: text/event-stream. Max timeout: 15 minutes.

Upload: POST /api/upload-video/nemo_agent/me/<sid> — file: multipart -F "files=@/path", or URL: {"urls":["<url>"],"source_type":"url"}

Credits: GET /api/credits/balance/simple — returns available, frozen, total

Session state: GET /api/state/nemo_agent/me/<sid>/latest — key fields: data.state.draft, data.state.video_infos, data.state.generated_media

Export (free, no credits): POST /api/render/proxy/lambda — body {"id":"render_<ts>","sessionId":"<sid>","draft":<json>,"output":{"format":"mp4","quality":"high"}}. Poll GET /api/render/proxy/lambda/<id> every 30s until status = completed. Download URL at output.url.

Supported formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Reading the SSE Stream

Text events go straight to the user (after GUI translation). Tool calls stay internal. Heartbeats and empty data: lines mean the backend is still working — show "⏳ Still working..." every 2 minutes.

About 30% of edit operations close the stream without any text. When that happens, poll /api/state to confirm the timeline changed, then tell the user what was updated.

Translating GUI Instructions

The backend responds as if there's a visual interface. Map its instructions to API calls:

  • "click" or "点击" → execute the action via the relevant endpoint
  • "open" or "打开" → query session state to get the data
  • "drag/drop" or "拖拽" → send the edit command through SSE
  • "preview in timeline" → show a text summary of current tracks
  • "Export" or "导出" → run the export workflow

Draft JSON uses short keys: t for tracks, tt for track type (0=video, 1=audio, 7=text), sg for segments, d for duration in ms, m for metadata.

Example timeline summary:

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Error Codes

  • 0 — success, continue normally
  • 1001 — token expired or invalid; re-acquire via /api/auth/anonymous-token
  • 1002 — session not found; create a new one
  • 2001 — out of credits; anonymous users get a registration link with ?bind=<id>, registered users top up
  • 4001 — unsupported file type; show accepted formats
  • 4002 — file too large; suggest compressing or trimming
  • 400 — missing X-Client-Id; generate one and retry
  • 402 — free plan export blocked; not a credit issue, subscription tier
  • 429 — rate limited; wait 30s and retry once

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "trim silences, add subtitles, and optimize for YouTube upload" — concrete instructions get better results.

Max file size is 500MB. Stick to MP4, MOV, AVI, WebM for the smoothest experience.

Export as MP4 for widest compatibility with YouTube's upload system.

Common Workflows

Quick edit: Upload → "trim silences, add subtitles, and optimize for YouTube upload" → Download MP4. Takes 1-2 minutes for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Comments

Loading comments...