ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Online

v1.0.0

edit video clips into polished MP4 files with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators use it for editing and enhancing...

0· 55·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (online video editing) align with the API endpoints and actions described (upload, SSE-based editing, render/export). Requesting a NEMO_TOKEN credential and offering an anonymous-token fallback is coherent for a cloud service. However, the skill frontmatter references a configuration path (~/.config/nemovideo/) which is not mentioned elsewhere in the registry summary; it's unclear why a purely cloud-based, instruction-only skill needs a local config path.
!
Instruction Scope
Instructions direct the agent to upload user media and interact with https://mega-api-prod.nemovideo.ai, which is expected for the stated purpose. But the runtime guidance also instructs auto-detection of an 'install path' to set X-Skill-Platform and references a local config directory; auto-detecting install paths or reading ~/.config may require examining the agent's filesystem or install metadata. The spec also tells the agent to keep technical details out of chat (i.e., do internal token acquisition), which reduces transparency. These behaviors expand scope beyond simple API calls and raise privacy/host-access concerns.
Install Mechanism
No install spec and no code files — instruction-only skill. That is the lower-risk option: nothing will be downloaded or written by an installer step.
Credentials
The only declared credential is NEMO_TOKEN (primaryEnv), which is appropriate for a hosted video-editing service. The skill also documents a fallback anonymous-token acquisition flow, which is reasonable. The presence of a config path (~/.config/nemovideo/) in the skill frontmatter is not well-justified and could imply reading/writing local cached tokens or settings; this should be clarified. No other unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It does not claim to modify other skills or agent-wide settings. Autonomous invocation is allowed (platform default) but not a new risk introduced by this skill.
What to consider before installing
This skill appears to be a standard cloud video-editing frontend: it uploads your media to mega-api-prod.nemovideo.ai, uses a NEMO_TOKEN when present (or obtains a temporary anonymous token), and returns export URLs. Before installing or using it, consider: 1) Are you comfortable uploading your video content to https://mega-api-prod.nemovideo.ai? Sensitive videos may leak private information. 2) The skill references reading/using ~/.config/nemovideo/ and auto-detecting an install path — ask the publisher what local files are accessed or stored and why. 3) Only provide a NEMO_TOKEN that is scoped to this service; do not reuse high-privilege tokens. 4) The registry metadata and the SKILL.md frontmatter slightly disagree about config paths — request clarification from the publisher. If you need stronger assurance, ask for the skill’s source code or a privacy/data-retention statement from the owner before using it.

Like a lobster shell, security has layers — review code before you run it.

latestvk972qybwmxs8ck775vmsyzxb3d84nvx8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments