ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Color Grading AI — AI Color Correction and Grading for Video

v1.0.0

Professional AI-powered color grading and color correction tool that enhances video aesthetics through intelligent chat commands. No complex color wheels or...

0· 66·0 current·0 all-time
by@imo14reifey·duplicate of @nemovideonemo/color-grading-tool
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (AI color grading via an external NemoVideo API) is internally consistent with the skill's description. However, the SKILL.md names mega-api-prod.nemovideo.ai as the processing backend but does not declare any required credentials, API keys, or how the agent should authenticate — that omission is unexpected for a cloud service integration.
!
Instruction Scope
The runtime instructions are vague: they instruct the agent to 'apply color grading' and state processing occurs on NemoVideo's backend, but they do not describe how to upload videos, what data is sent, whether uploads are encrypted, retention/processing policies, or whether user consent is required. This effectively authorizes the agent to send user video to an external domain without explicit, scoped guidance.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not write artifacts to disk or pull external installers — low install footprint.
Credentials
No environment variables or credentials are declared. For a skill that depends on an external API, the absence of declared API keys or auth requirements is unusual and could mean either (a) the API is public (no auth) or (b) the skill omitted required credentials. Either case should be explained before use because it affects privacy and billing.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system config, and requests no persistent privileges — normal and expected.
What to consider before installing
This skill would cause your agent to send videos to an external service (mega-api-prod.nemovideo.ai) but gives no details about authentication, encryption, retention, or privacy. Before installing or using it, ask the provider: (1) Does the API require an API key or account? If so, why isn't it declared? (2) Exactly how will videos be uploaded (endpoint, HTTPS, chunking)? (3) What are retention and deletion policies and who can access processed videos? (4) Is there any billing or data-sharing? If you can't get clear answers, avoid sending sensitive video — test only with non-sensitive samples and require the agent to request explicit permission before uploading any user files. If you need stricter control, prefer skills that declare required credentials and document their data flow and privacy policy.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fcxq4vc6k9w4pk5mvfcernd83ekqz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis

Comments