Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Best Screen Record
v1.0.0Cloud-based best-screen-record tool that handles cleaning up and enhancing screen recordings for tutorials or demos. Upload MP4, MOV, AVI, WebM files (up to...
⭐ 0· 76·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the runtime instructions: the skill uploads videos, creates a session, and requests rendering from a cloud API. Requiring a single NEMO_TOKEN credential is consistent. However, the SKILL.md frontmatter advertises a config path (~/.config/nemovideo/) and platform-detection logic that are not reflected in the registry metadata (the manifest listed no required config paths). That mismatch is unexplained.
Instruction Scope
Instructions include network calls to https://mega-api-prod.nemovideo.ai for anonymous-token acquisition, session creation, SSE streaming, uploads and exports — these are expected for a cloud video service. Concerns: (1) the SKILL.md expects to detect an install path to set X-Skill-Platform (this implies the agent may inspect filesystem locations or runtime install paths); (2) upload instructions show using multipart with file=@/path which could lead the agent to read arbitrary filesystem paths if not constrained to user-provided files; (3) SKILL.md references storing/using tokens and a config directory but does not specify how/where tokens are persisted. These filesystem/config actions expand the skill's scope beyond pure API bridging.
Install Mechanism
Instruction-only skill with no install spec or code files. This is lowest install risk — nothing is downloaded or written by an installer step in the manifest.
Credentials
Only one environment credential is declared (NEMO_TOKEN) and is clearly the primary credential for the cloud API, which is proportionate. The SKILL.md also describes obtaining an anonymous token if NEMO_TOKEN is absent (reasonable), but combined with the hinted config path it implies the token may be persisted on disk — this should be confirmed.
Persistence & Privilege
always:false and no install-time persistence specified in the registry. The only potential persistence is implied by the SKILL.md mention of a config directory (~/.config/nemovideo/) where tokens or session data might be stored; the manifest did not declare or require that path, so persistence behavior is unclear but not confirmed.
What to consider before installing
This skill broadly appears to do what it says (cloud video edits), but there are a few things to verify before installing or using it: 1) Confirm the API domain (mega-api-prod.nemovideo.ai) is legitimate for the provider you expect. 2) Ask the publisher where and how the NEMO_TOKEN and session IDs are stored (SKILL.md hints at ~/.config/nemovideo/ but the registry metadata did not require that path). If you don't want persistent tokens on disk, insist the agent only uses ephemeral in-memory tokens. 3) Only upload files you intend to share; if the agent is permitted to accept arbitrary filesystem paths it could access unintended files — restrict uploads to explicit user-provided attachments. 4) If possible, use a disposable/limited token (or anonymous flow) rather than a long-lived credential. 5) If you need higher assurance, request the publisher provide a clear manifest update that documents config path usage and any file I/O the skill will perform. Because of the registry vs SKILL.md inconsistencies and implied filesystem access, proceed cautiously.Like a lobster shell, security has layers — review code before you run it.
latestvk9752jkm53tsvme0v73xfzqwyx84jgz4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖥️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN