ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Audio Editor Free

v1.0.0

Get clean edited videos ready to post, without touching a single slider. Upload your audio files (MP4, MOV, MP3, WAV, up to 500MB), say something like "remov...

0· 19·0 current·0 all-time
by@mhogan2013-9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description align with calling a remote NemoVideo-style API to edit audio/video and return downloads. However the YAML frontmatter metadata lists a config path (~/.config/nemovideo/) while the registry metadata earlier reported no required config paths — that mismatch is unexplained and suggests the skill may look for local config or credentials it didn't declare.
Instruction Scope
SKILL.md instructions stay within the stated purpose (create session, upload media, run SSE, poll renders, return download URLs). But they also say X-Skill-Platform is 'detected from the install path' (e.g., ~/.clawhub/ or ~/.cursor/skills/) which implies the agent may inspect local paths to set request headers — this is not explicit in the declared requirements and broadens scope beyond mere network calls.
Install Mechanism
No install spec or code files — instruction-only skill. That lowers disk/write risk; nothing is fetched or executed locally by an installer.
Credentials
Only a single credential (NEMO_TOKEN) is required, which is appropriate for a third-party API. But the frontmatter's configPaths suggests possible access to '~/.config/nemovideo/' (not listed in registry fields), creating ambiguity about what local data the skill may read. The skill also instructs obtaining an anonymous token via an API call if no token is present — that will send usage metadata to the remote service.
Persistence & Privilege
always is false and the skill doesn't request persistent system-wide changes. Autonomous invocation is allowed (platform default) and appropriate for this type of skill. There are no install-time scripts or instructions to modify other skills.
What to consider before installing
This skill appears to call a third-party cloud service (mega-api-prod.nemovideo.ai) to process uploaded audio/video. Before installing or using it: (1) confirm you trust that domain and understand its privacy/storage/retention policies — your media will be uploaded to that service; (2) prefer supplying your own NEMO_TOKEN (if you have one) rather than relying on anonymous tokens; (3) be aware the skill may inspect install/config paths (e.g., ~/.config/nemovideo/ or ~/.clawhub/) to set headers — avoid installing if you don't want local paths queried; (4) ask the publisher for clarification about the configPaths metadata mismatch and for a privacy policy or homepage. If you need stronger assurance, request source code or a vetted package rather than an instruction-only skill from an unknown source.

Like a lobster shell, security has layers — review code before you run it.

latestvk978h4wgsab641djbabg0vn799851z3m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎧 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments