ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Highlight Editor Youtube

v1.0.0

Turn a 45-minute YouTube gaming stream into 1080p highlight reel clips just by typing what you need. Whether it's generating short highlight clips from long...

0· 52·0 current·0 all-time
by@francemichaell-15
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (extract highlights from YouTube videos) matches the API endpoints described (upload, render, export) and the single required credential (NEMO_TOKEN) is consistent with a 3rd‑party rendering backend. However, metadata/instruction inconsistencies exist: the registry lists no config paths but the SKILL.md frontmatter requires ~/.config/nemovideo/, and while NEMO_TOKEN is declared required the SKILL.md provides an anonymous-token flow that obtains a token automatically if NEMO_TOKEN is unset — that mismatch reduces transparency.
!
Instruction Scope
The runtime instructions direct the agent to obtain/store tokens, create sessions, upload user video files or URLs, poll render status, and include attribution headers derived by probing install path. Uploading user media to https://mega-api-prod.nemovideo.ai is outside the user's machine and requires explicit user consent; the skill also reads the agent install path to set X-Skill-Platform, which is a cross-cutting system probe not strictly required for video editing. The SKILL.md instructs suppressing raw token display and storing tokens, but gives no storage location or retention policy.
Install Mechanism
This is instruction-only with no install spec or additional binaries — lowest install risk. Nothing written to disk by an installer is declared.
Credentials
Only one credential (NEMO_TOKEN) is declared, which is proportionate for a hosted rendering API. But the SKILL.md auto-generates an anonymous token when the env var is absent; that behavior contradicts the registry's 'required env var' declaration and means the skill will operate without an explicit user-provided credential. The frontmatter also mentions a config path (~/.config/nemovideo/) not present in registry metadata — unclear why that path is required or read.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It does instruct creating/storing session tokens and job IDs for its own operation, which is normal for a cloud service integration and not inherently privileged.
What to consider before installing
This skill will send your videos to a third‑party service (mega-api-prod.nemovideo.ai) and can automatically mint and store an anonymous token if you don't supply one. Before installing or using: (1) confirm who operates nemovideo.ai and review their privacy/retention policy for uploaded media; (2) prefer providing your own NEMO_TOKEN if you want control over credentials; (3) avoid uploading sensitive or private videos until you verify data handling; (4) ask the publisher why the registry metadata differs from SKILL.md (config path vs none, and 'required' env var vs anonymous-token flow). These inconsistencies are the reason this skill is flagged as suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97emkbfaj5xppa9sxf3zjq22s84ncmx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments