ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

For Marketing Video Editing With

v1.0.0

Cloud-based for-marketing-video-editing-with tool that handles editing product and brand videos for social media campaigns. Upload MP4, MOV, AVI, WebM files...

0· 56·0 current·0 all-time
by@linmillsd7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, and runtime instructions consistently describe a cloud-based video editing service that accepts uploads and returns rendered MP4s; asking for a single API token (NEMO_TOKEN) is proportional. However, the SKILL.md frontmatter claims a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this discrepancy is unexplained.
Instruction Scope
SKILL.md instructs the agent to obtain or use NEMO_TOKEN, create sessions, upload user media, stream SSE chat, poll for renders, and save session_id. Those actions are expected for a remote render service. The file does not instruct the agent to read arbitrary system files or unrelated credentials. It does assume the agent can 'auto-detect' an install path for X-Skill-Platform and references a local config path in metadata — these assumptions may be inconsistent for an instruction-only skill and could cause the agent to access paths that aren't necessary.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only, so nothing is downloaded or written to disk by an installer. This is the lowest install risk category.
Credentials
Only one environment variable (NEMO_TOKEN) is declared, which is reasonable for an API-backed service. The SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) which was not reflected in the registry requirements; if the skill actually reads that path it would expand its scope and access local files, so this mismatch should be clarified before trusting it with sensitive data.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It does instruct saving transient session_id and using tokens for API calls, which is typical and not excessive on its face.
What to consider before installing
This skill appears to be a straightforward cloud video-editing integration, but there are a few things to check before installing or using it: 1) Confirm the service domain (mega-api-prod.nemovideo.ai) and its privacy/data-retention policy — you will be uploading video files to that external endpoint. 2) Ask the publisher why SKILL.md metadata lists ~/.config/nemovideo/ (a local config path) while the registry shows no config paths; clarify whether the agent will read or write any local files. 3) Be cautious with sensitive footage — prefer test or anonymized clips until you trust the service. 4) If you don't already have a trusted NEMO_TOKEN, the skill’s anonymous-token flow issues ephemeral tokens; confirm how/where tokens and session IDs are stored by your agent. If the publisher cannot explain the config-path mismatch or provide a privacy/terms link, treat the skill as higher risk and avoid uploading confidential material.

Like a lobster shell, security has layers — review code before you run it.

latestvk979nmbgx5z6tma82d946wse8s84mp9t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📢 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments