ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Editor Ai Instagram

v1.0.0

Instagram creators edit video clips into Instagram-ready clips using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on cloud GPUs at 1080p, and...

0· 59·0 current·0 all-time
by@mhogan2013-9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (cloud GPU video editing) aligns with needing an API token (NEMO_TOKEN) and making upload/render API calls. However the SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) and uses install-path detection to set an attribution header — these filesystem accesses are not declared in the registry metadata and are not strictly necessary to provide basic editing capability.
!
Instruction Scope
Instructions tell the agent to create sessions, upload files, run SSE, and poll render status — all consistent with the stated purpose. Concerns: (1) If NEMO_TOKEN is absent the skill instructs the agent to generate an anonymous token via POST to an external endpoint (fine functionally but requires network access). (2) It requires deriving three attribution headers from YAML frontmatter and detecting install paths (e.g., ~/.clawhub/, ~/.cursor/) — this implies reading the filesystem to detect install location or config files, which is scope creep relative to simple upload/render. (3) The names/values of the 'three attribution headers' are ambiguous in the doc, which could lead to incorrect or surprising behavior.
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing will be written to disk by an installer. That lowers risk compared to remote-download installs.
Credentials
Only one required env var (NEMO_TOKEN) is declared, which is proportionate for an API-backed editing service. However the frontmatter also lists a config path (~/.config/nemovideo/) that was not declared elsewhere — reading that directory could expose other local config or credentials. The skill also instructs deriving headers based on install paths, which could cause additional filesystem reads.
Persistence & Privilege
always:false and no install hooks are declared. The skill does not request elevated or permanent presence in the agent beyond normal autonomous invocation (default), and it does not claim to modify other skills or global agent settings.
What to consider before installing
This skill appears to implement a cloud video-editing service and legitimately needs an API token and network access. Before installing: (1) Verify the backend domain (mega-api-prod.nemovideo.ai) and the service's privacy/retention policy — the skill will upload your videos to that service. (2) Prefer using an anonymous/starter token (as described) rather than placing a long-lived credential in your environment. (3) Ask the author to clarify the 'three attribution headers' and why install-path detection or ~/.config/nemovideo/ access is needed; these require the agent to read local filesystem paths and may expose unexpected data. (4) If you have sensitive data in home config dirs, avoid granting the skill filesystem access or do not install it until provenance/homepage is confirmed. The lack of a homepage and the registry-frontmatter mismatch are reasons to be cautious.

Like a lobster shell, security has layers — review code before you run it.

latestvk979d0v6n3syv7wyg744pck65184j6dq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📱 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments