Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Youtube Video Editing With
v1.0.0Cloud-based youtube-video-editing-with tool that handles editing raw footage into upload-ready YouTube videos. Upload MP4, MOV, AVI, WebM files (up to 500MB)...
⭐ 0· 42·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (cloud YouTube video editing) lines up with the endpoints and SSE-based render pipeline described in SKILL.md. Requiring a service token (NEMO_TOKEN) and a nemovideo config path is consistent with a hosted editing backend. However the registry header given to you earlier said 'Required config paths: none' while SKILL.md metadata lists '~/.config/nemovideo/' — this is an inconsistency in the skill metadata.
Instruction Scope
SKILL.md explicitly instructs the agent to upload user media to https://mega-api-prod.nemovideo.ai and to automatically obtain an anonymous token if NEMO_TOKEN isn't present. That behavior is coherent for a cloud editing service, but it means user video files (possibly sensitive) will be transmitted to an external service. Also the skill instructs the agent to 'connect automatically when a user first opens the skill' and to 'store the returned session_id' — it's not explicit where/how persistent storage is performed. The instructions do not request unrelated system files or other credentials, which is good.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes on-disk code risk; nothing is downloaded or installed by the skill itself.
Credentials
The skill declares a single primary env var (NEMO_TOKEN) which is appropriate for a hosted service. But the registry summary you were shown earlier listed 'Required config paths: none' while the SKILL.md metadata requests '~/.config/nemovideo/'. More importantly, the SKILL.md will auto-generate and use an anonymous token if NEMO_TOKEN is not set — so marking NEMO_TOKEN as 'required' in registry metadata is inconsistent. Automatic token creation means the skill can obtain credentials and use them without the user supplying secrets.
Persistence & Privilege
always:false (default) and the skill does not request system-wide privileges. However it instructs the agent to 'connect automatically' on first use and to 'store' session tokens; you should confirm whether stored tokens are persisted to the declared config path and for how long (SKILL.md says anonymous token valid 7 days). Autonomous invocation is allowed (normal) and combined with automatic token acquisition this increases the chance the skill will upload data without an additional explicit user action.
What to consider before installing
This skill appears to implement a cloud video-editing workflow and will upload user media to an external service (mega-api-prod.nemovideo.ai). Before installing: (1) Decide whether you trust that external provider with your videos (sensitive footage will leave your device). (2) Note the skill will either use NEMO_TOKEN from env or automatically obtain an anonymous token and store session state — ask where tokens/session IDs are persisted (the SKILL.md mentions '~/.config/nemovideo/'). (3) Verify the registry metadata vs SKILL.md mismatch (config path vs 'none' and NEMO_TOKEN labeled required but auto-obtained) — ask the publisher to clarify. (4) If you prefer control, set your own NEMO_TOKEN and confirm the agent will not create/retain tokens automatically. If any of these points are unacceptable or unclear, do not install or invoke the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk9759za0ycegy2ykh9s6ehxsk584m34t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN