ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Instagram Reels Editor

v1.0.6

The Reel that did well wasn't a coincidence. It opened on a tight visual — no buildup, no logo intro, straight into the moment. The caption appeared on scree...

0· 174·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name and description describe an online Reels video editor that would reasonably call a backend API. However the top-level registry metadata provided earlier lists no required env vars or config paths, while the SKILL.md metadata explicitly requires NEMO_TOKEN and access to ~/.config/nemovideo/. That mismatch (registry vs SKILL.md) is an incoherence: either the skill actually needs credentials/config or the registry listing is inaccurate.
!
Instruction Scope
SKILL.md is high-level and instruction-only (no commands or code), which is normal. But it implicitly sends user media and scripts to the apiDomain (https://mega-api-dev.nemovideo.ai). The document does not state what data is transmitted, how it is stored or retained, or what the token authorizes. Also the apiDomain is a 'dev' subdomain rather than a clearly production API endpoint — that increases risk and ambiguity about where user content would be processed.
Install Mechanism
There is no install spec and no code files — instruction-only skill. This minimizes on-disk footprint and installation risk.
Credentials
SKILL.md declares a single primaryEnv (NEMO_TOKEN) and a config path (~/.config/nemovideo/) which are plausible for a service-backed editor. That said, these requirements contradict the registry summary (which claimed no required env/config). Requesting a token is expected, but access to a local config directory may expose other local data if the agent reads arbitrary files; the skill does not explain why both are needed or the token's scope.
Persistence & Privilege
The skill is not marked always:true and is user-invocable only. It does not request system-wide persistence or special agent privileges in the provided materials.
What to consider before installing
Before installing, verify the inconsistency between the registry listing (which shows no requirements) and the SKILL.md (which requires a NEMO_TOKEN and access to ~/.config/nemovideo/). Ask the publisher: which API domain is production vs dev, what exact scopes does NEMO_TOKEN grant, and how are uploaded videos stored/retained/deleted? Inspect the repository linked on GitHub for implementation details and confirm the API endpoint is legitimate (not a personal/dev server). If you must test, use non-sensitive sample media and a limited-scope test token. Avoid uploading private or regulated content until you’ve confirmed the provider’s privacy policy and token scope.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b55ey5c124dh28n3ymfaj1984ap0x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments