ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Screen Recording Editor

v1.0.0

You recorded a 45-minute software tutorial but the usable content is 22 minutes across non-consecutive takes. Your screen recording has three accidental brow...

0· 47·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to upload and process recordings (reasonable for a cloud editor) but its metadata is inconsistent: requires.env is empty while primaryEnv is set to NEMO_TOKEN and a config path (~/.config/nemovideo/) is declared. Without a homepage or source, it's unclear whether that token/config is actually needed or what service will receive uploaded videos.
Instruction Scope
The SKILL.md contains only high-level instructions ('Upload the screen recording, describe editing requirements') and does not instruct reading local files beyond the user-supplied video. However, the instructions are vague about the upload destination and processing endpoints, which gives the agent broad discretion to call arbitrary external services — this ambiguity increases risk if you don't trust the skill's provider.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only, so nothing will be written to disk by an installer. This minimizes installation risk.
!
Credentials
Declaring a primary credential (NEMO_TOKEN) but listing no required env vars is inconsistent. The metadata also declares a config path (~/.config/nemovideo/). Neither the README nor SKILL.md justify access to credentials or config files; requesting a token without explanation is disproportionate and could enable exfiltration of uploaded videos or use of stored credentials.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and allows normal autonomous invocation (disable-model-invocation is false) — this is the platform default and not concerning by itself. The skill does not request to modify other skills or system-wide settings.
What to consider before installing
This skill's stated function (automated video editing) is plausible, but the metadata raises questions. Before installing or using it: (1) Ask the publisher what NEMO_TOKEN is, why the skill needs it, and where uploaded videos are sent and stored; (2) Ask for a homepage or source repository so you can inspect the service and privacy/retention policies; (3) Do not provide sensitive recordings until you confirm the service endpoint, encryption, and retention; (4) Prefer using a temporary/revocable token or an isolated account if you must test it; (5) If the publisher can't explain the declared config path and token usage, consider the skill suspicious and avoid uploading private content.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eq8q60yzywhp1w94y6t0hq983xscb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖥️ Clawdis
Primary envNEMO_TOKEN

Comments