Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Lecture Video Editing
v1.0.0Get polished lecture videos ready to post, without touching a single slider. Upload your raw lecture footage (MP4, MOV, AVI, WebM, up to 500MB), say somethin...
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with a cloud video-editing backend and the single required credential (NEMO_TOKEN) is plausible. However, the SKILL.md frontmatter references a config path (~/.config/nemovideo/) and runtime detection of install path that are not reflected in the registry metadata — a mild inconsistency. Requiring attribution headers and an auth token is coherent with a remote rendering service.
Instruction Scope
Runtime instructions instruct the agent to (a) check environment for NEMO_TOKEN, (b) if absent, call the external API to obtain an anonymous token and use it, (c) create sessions and upload user video files (up to 500MB) to https://mega-api-prod.nemovideo.ai, and (d) detect install path to set X-Skill-Platform. Uploading potentially sensitive lecture video to an external service is expected for this skill but the SKILL.md does not require an explicit user consent/confirmation step before uploads. It also instructs the agent to hide raw API responses and token values from users, which can obscure debugging or auditing of what was sent/received.
Install Mechanism
Instruction-only skill with no install spec or downloadable code. No files are written by an installer and there are no external archives or package installs indicated.
Credentials
Only NEMO_TOKEN is declared as required, which is proportionate for a cloud API. The SKILL.md will auto-generate an anonymous token if one is not provided; this is consistent with needing a token but means the skill can obtain and use credentials without explicit user-provided secrets. The frontmatter's mention of a config path (~/.config/nemovideo/) is present in the skill content but not in the registry requirements — a small mismatch to be aware of.
Persistence & Privilege
always:false and no install-time persistence are set. The skill runs against an external API, creates sessions, and stores session IDs for the interaction, but it does not request system-wide privileges or attempt to modify other skills. Autonomous invocation is allowed (platform default) and not by itself a problem.
What to consider before installing
This skill sends your uploaded lecture videos (potentially up to 500MB) to an external service (mega-api-prod.nemovideo.ai) for processing. Before installing or using it: (1) Confirm you are comfortable uploading potentially sensitive lecture content to that domain and review any privacy policy from the service (none is linked here). (2) Know that if you don't supply a NEMO_TOKEN, the skill will fetch an anonymous token for you automatically — that grants the skill API access for 7 days/100 credits. (3) Expect the agent to read your video files and a small amount of filesystem context (to detect install path); it may hide raw API responses/tokens from the UI. (4) If the lectures contain confidential student data or restricted material, prefer an on-prem/local workflow or verify the vendor and data-retention practices first. (5) The skill metadata has a minor inconsistency (declared config path in SKILL.md vs registry). If you need higher assurance, ask the skill author for a homepage/privacy page, or run uploads on a temporary/test recording first.Like a lobster shell, security has layers — review code before you run it.
latestvk978zcrpeab4t2pc8dtenqy6xd84pdsk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎓 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN