ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Compress Video

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — compress this video to under 100MB without losing too much quality — and g...

0· 56·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is an instruction-only wrapper around a cloud rendering service (nemovideo.ai). Requesting a single NEMO_TOKEN credential and calling render/upload endpoints is coherent with a cloud-based video compressor. However, the registry metadata lists a config path (~/.config/nemovideo/) that the SKILL.md does not actually reference, and the skill is declared to require NEMO_TOKEN while the instructions provide an anonymous-token fallback — this mismatch is unexpected.
Instruction Scope
SKILL.md explicitly confines actions to creating a session, uploading user-provided media, handling SSE for progress, and requesting renders from the documented API. It does not instruct reading arbitrary files, shell history, or unrelated environment variables. It does, however, instruct automatic anonymous token generation if NEMO_TOKEN is absent and requires always adding attribution headers to requests.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing is written to disk by an installer. This is the lowest-risk install mechanism; runtime network calls are the primary surface.
!
Credentials
The skill declares NEMO_TOKEN as the primary credential which is appropriate for a cloud service, but then describes an automatic anonymous-token acquisition flow when the env var is missing. Requiring an env var while also auto-creating a token is inconsistent and could lead to unexpected token creation/storage. The metadata's declared config path (~/.config/nemovideo/) is not referenced in the instructions — either the metadata is stale/incorrect or the skill may later attempt to access that path, which would be disproportionate for a simple instruction set.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It stores session_id in-memory for requests and polls the backend; it does not declare modifications to other skills or global agent configs.
What to consider before installing
This skill uploads your video files to https://mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (or will create a short‑lived anonymous token automatically). Before installing: (1) Confirm you are comfortable uploading any videos you send (do not upload sensitive/private footage). (2) Verify the remote domain and its privacy/retention policy. (3) Ask the publisher why the metadata declares ~/.config/nemovideo/ and yet the runtime instructions don’t use it, and why NEMO_TOKEN is listed as required if the skill can auto‑create a token. (4) Consider using a throwaway account or short‑lived token for testing. If you need me to, I can draft questions to the publisher or summarize the privacy risks in plain language.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fw3dxp3yymafecb8epmrkq184mcrc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗜️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments