ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Maker Effects Free Download

v1.0.0

Get effects-enhanced videos ready to post, without touching a single slider. Upload your video clips (MP4, MOV, AVI, WebM, up to 500MB), say something like "...

0· 34·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with using a remote rendering API; requiring a service token (NEMO_TOKEN) and uploading user media is coherent. However the SKILL.md frontmatter declares a required config path (~/.config/nemovideo/) while the registry metadata showed no required config paths — this mismatch is unexpected.
Instruction Scope
Instructions are focused on establishing a session, optional anonymous token acquisition, uploading media, streaming SSE, polling render status, and returning a download URL. They do not ask the agent to read arbitrary system files or unrelated credentials. One ambiguous instruction: set X-Skill-Platform by 'auto-detect: from install path' — that implies access to install path information and is underspecified.
Install Mechanism
No install spec and no code files (instruction-only), so nothing is written to disk by the skill itself. This is the lowest-risk install profile.
Credentials
Only NEMO_TOKEN is declared as required (primary credential), which is proportionate for a hosted video API. The SKILL.md frontmatter however lists a config path (~/.config/nemovideo/) that could indicate the skill expects to read local configuration — this is not justified by the registry summary and should be clarified before granting access.
Persistence & Privilege
always is false and there's no install step that requests persistent or elevated privileges. The skill does not ask to modify other skills or system-level settings.
What to consider before installing
This skill appears to be a wrapper for a cloud video-effects service and will upload whatever media you give it to https://mega-api-prod.nemovideo.ai. Before using it: (1) Confirm you trust that remote host and read its privacy/terms — do not upload sensitive videos you wouldn't share elsewhere. (2) Note the skill needs NEMO_TOKEN; ensure any token you provide has limited scope and can be revoked. (3) Ask the publisher to clarify the config-path inconsistency (~/.config/nemovideo/ appears in the SKILL.md frontmatter but not in registry metadata) and explain what 'auto-detect install path' means for X-Skill-Platform (this may require reading agent install paths). (4) If you cannot verify the service or the publisher, prefer using a vetted tool or a vendor-hosted web UI instead of this skill. If you need higher assurance, request the skill author supply a privacy statement, the service domain owner, and explicit statement of exactly what local paths (if any) the skill will read.

Like a lobster shell, security has layers — review code before you run it.

latestvk972kq15azzstkhtnyreqwmv4184r87c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments