ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Editeur Video Gratuit

v1.0.0

content creators and students edit video clips into edited MP4 videos using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on cloud GPUs at 108...

0· 17·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match a cloud video-editing service; requiring a NEMO_TOKEN credential and making requests to a nemo video API is proportionate to that purpose. However, the metadata also declares a config path (~/.config/nemovideo/) which the runtime instructions do not explicitly read — a minor mismatch.
!
Instruction Scope
SKILL.md instructs the agent to upload user-provided video files and session data to https://mega-api-prod.nemovideo.ai and to stream/ poll SSE endpoints. This is coherent for cloud rendering, but the document also instructs the skill to detect an install path (e.g., ~/.clawhub/ or ~/.cursor/skills/) to set X-Skill-Platform headers — that implies inspecting the local filesystem to determine agent install location, which is outside the core editing task and could expose local environment details. The skill also auto-generates or fetches an anonymous NEMO_TOKEN if none is present, which means the agent will call an external auth endpoint and keep that token.
Install Mechanism
Instruction-only skill with no install spec or downloaded code — lowest install risk. Nothing is written to disk by an installer step in the SKILL.md.
Credentials
Only one declared env var (NEMO_TOKEN), which is appropriate for a cloud API. The SKILL.md also describes creating an anonymous token when NEMO_TOKEN is absent; this behavior is reasonable but should be noted because it induces network calls and results in the skill holding a short-lived credential. The declared config path is not otherwise used in the instructions, which is an inconsistency worth clarifying.
Persistence & Privilege
always:false and no install steps. The skill does require storing session_id and tokens for operation, but it does not request elevated platform privileges or force inclusion in all agent runs.
What to consider before installing
This skill will upload any video files you give it to a third-party service (mega-api-prod.nemovideo.ai) and will use or obtain a NEMO_TOKEN credential to do so. That behaviour is expected for cloud rendering, but consider: (1) Do you trust the remote service with your video and its metadata? (2) Are there privacy or copyright concerns for material you upload? (3) The skill may inspect local install paths (to set X-Skill-Platform) — ask the author to confirm what filesystem checks are performed and why. Also ask why ~/.config/nemovideo/ appears in metadata but isn't referenced in runtime steps. If you need stronger guarantees, request the service's privacy/retention policy, or avoid uploading sensitive videos. If anything about the domain, token issuance, or file handling is unclear, treat the skill as untrusted until you get clarifications.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a3qktx0psggj0wse5d5wrd584kp9f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments