ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Upload Aioz

v1.0.0

upload video files into stored video files with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators use it for uploading videos to...

0· 56·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to upload to the AIOZ decentralized network, but all runtime endpoints are on mega-api-prod.nemovideo.ai (NEMO). That brand/URL mismatch could be benign (NEMO is acting as a gateway) but is a meaningful inconsistency. Metadata also declares a config path (~/.config/nemovideo/) that suggests local state, which is plausible for a video upload session but not explained in the description.
Instruction Scope
SKILL.md instructs the agent to obtain or use a NEMO_TOKEN, create sessions, upload multipart files and poll render endpoints — behavior expected for a remote upload skill. It will send user files (possibly large and private) to a third-party server; that's inherent to an upload skill but is privacy-sensitive. The skill also instructs probing the install path to derive X-Skill-Platform, which implies reading environment/paths outside the immediate task.
Install Mechanism
No install script or external downloads are present (instruction-only skill), so nothing is written to disk by an installer. This lowers install-time risk.
!
Credentials
Declared required env var is NEMO_TOKEN (primary credential) which matches the service used. However, the runtime instructions allow generating an anonymous token by calling the remote API if NEMO_TOKEN is not present — so requiring NEMO_TOKEN in metadata is inconsistent. The metadata also lists a config path (~/.config/nemovideo/) that implies local storage of tokens/session state; the SKILL.md doesn't clearly justify why it needs filesystem config access beyond storing a session_id.
Persistence & Privilege
always is false and there's no indication the skill requests permanent platform-wide privileges or modifies other skills. It will store session tokens and may write to a per-skill config path, which is normal for a remote upload workflow.
What to consider before installing
This skill will upload whatever video files you give it to a remote backend (mega-api-prod.nemovideo.ai). Before installing or using it: (1) Confirm who operates mega-api-prod.nemovideo.ai and whether it truly connects to AIOZ as claimed — the domain mismatch is suspicious. (2) Be cautious about uploading sensitive content; the skill may create and store anonymous tokens and session state under ~/.config/nemovideo/. (3) Ask the publisher for a homepage or privacy policy and the intended relationship to AIOZ. (4) If you proceed, avoid sending private/confidential videos, prefer ephemeral accounts/tokens, and monitor what the agent posts (network logs) or test with non-sensitive files first. Additional information that would raise confidence: a verifiable homepage/repo, documentation showing NEMO→AIOZ mapping, and a clearer justification for the declared env/config entries.

Like a lobster shell, security has layers — review code before you run it.

latestvk974ajkb27g1ftsa663rm5k52h84pts2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📤 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments