Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Editor Online Ai
v1.0.0Get edited MP4 clips ready to post, without touching a single slider. Upload your raw video clips (MP4, MOV, AVI, WebM, up to 500MB), say something like "tri...
⭐ 0· 49·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description advertise cloud video editing; the SKILL.md instructs the agent to authenticate and call nemovideo.ai endpoints and upload user media — that is consistent. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata shown to the platform lists no required config paths, which is an inconsistency between declared registry metadata and the runtime instructions.
Instruction Scope
Instructions direct the agent to: (a) upload user video files to an external API (expected for this skill), (b) generate anonymous tokens if NEMO_TOKEN is absent, (c) persist session_id, and (d) detect the skill install path (e.g. check ~/.clawhub or ~/.cursor/skills/) to populate X-Skill-Platform. The install-path detection implies reading the user's filesystem (beyond just using the API) which is outside the strictly necessary editing flow and should be explicitly authorized. The instructions are otherwise specific about endpoints, headers, and error handling.
Install Mechanism
No install spec or code files are present — instruction-only. That reduces risk because nothing is written to disk by an install step.
Credentials
The skill only requires a single credential (NEMO_TOKEN), which is proportionate to a cloud editing service. The SKILL.md also includes a flow to obtain an anonymous token via an API call if a token is not provided—this is reasonable but note the skill will accept either a user-supplied token or a token it obtains on your behalf. No other unrelated credentials are requested.
Persistence & Privilege
always:false and normal model invocation are used. The skill instructs saving session_id and using tokens for requests (expected). It does not request permanent 'always' inclusion or modification of other skills' configurations.
What to consider before installing
This skill appears to do what it claims (upload your video to a cloud API and return an edited MP4), but review these points before installing: 1) It will upload whatever media you provide to https://mega-api-prod.nemovideo.ai — do not send private/sensitive footage until you trust the service and its privacy policy. 2) The skill requires a NEMO_TOKEN; if you don't supply one it will obtain an anonymous token for you (100 credits, 7-day expiry) by contacting the provider—be aware of rate/usage limits and that the provider will be able to see your uploads. 3) SKILL.md asks the agent to detect install paths (e.g., ~/.clawhub, ~/.cursor/skills/) and references a config path (~/.config/nemovideo/) in its frontmatter; this implies the agent may read parts of your home directory to produce attribution headers — if you want to avoid filesystem access, ask the developer to remove that behavior or explicitly confirm which paths will be read. 4) There is a metadata mismatch: the registry metadata reported no required config paths, but SKILL.md frontmatter lists one — request clarification from the skill author or review the skill source before granting access. If you proceed, limit use to non-sensitive media and prefer providing your own NEMO_TOKEN from an account you control rather than relying on anonymous tokens.Like a lobster shell, security has layers — review code before you run it.
latestvk97bb6je66vt49yk00fvxga55n84qd1c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN