Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
For Beginners Video Editing With
v1.0.0beginners and first-time editors edit raw video clips into edited video clips using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on cloud GPU...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is a cloud video-editing frontend and legitimately needs a service token (NEMO_TOKEN) and network access to mega-api-prod.nemovideo.ai. However the skill's registry metadata reported no config paths while the embedded SKILL.md metadata lists ~/.config/nemovideo/ — this mismatch should be reconciled. Overall requested capabilities are plausible for a cloud rendering service.
Instruction Scope
Instructions include normal editing workflow (create session, upload files, start render, poll SSE). They also instruct the agent to detect the install path (~/.clawhub, ~/.cursor/skills/) and to read attribution from the skill's YAML frontmatter at runtime. Detecting install path or reading local config is scope creep: it requires filesystem inspection of user home paths. The SKILL.md also tells the agent to 'keep the technical details out of the chat', which reduces transparency about network activity. These behaviors are not required for core editing and increase privacy risk.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest-risk install posture. No downloads or extracted archives are requested.
Credentials
Only one credential (NEMO_TOKEN) is declared as primary, which is appropriate for an API-backed editing service. The SKILL.md also provides an anonymous-token fallback flow, which reduces the need for a long-lived secret. The metadata's mention of a config path (~/.config/nemovideo/) contradicts the registry's 'no config paths' claim; reading that config directory (if done at runtime) could expose additional local data and should be justified.
Persistence & Privilege
The skill does not request always:true, does not alter other skills' configs, and has no install-time persistence actions. It runs network calls for service use but does not demand permanent agent presence.
Scan Findings in Context
[NO_CODE_FILES] expected: The repository contains only SKILL.md and no code files, so the regex-based scanner had nothing to analyze. This is expected for instruction-only skills but means there is no static code signal to corroborate runtime behavior; review the SKILL.md carefully.
What to consider before installing
This skill appears to do what it says (cloud video editing), but exercise caution before installing or sending sensitive videos. Specific recommendations: 1) Note the backend domain (mega-api-prod.nemovideo.ai) — verify the service/provider and privacy/retention policy before uploading private content. 2) Prefer the anonymous-token flow for initial testing rather than supplying a personal NEMO_TOKEN. 3) Ask the publisher to explain why the skill needs to detect install paths and read ~/.config/nemovideo/ (if it does); refuse or sandbox the skill if you don't want local filesystem access. 4) Because the skill asks agents to keep technical details out of the chat, be aware network calls may be hidden — request explicit, auditable logs or a transparency mode. 5) Test first with throwaway/sample clips and confirm outputs and any backend storage/retention. If the publisher/ homepage is unknown, treat the skill as untrusted until provenance is established.Like a lobster shell, security has layers — review code before you run it.
latestvk97bdrm6s9ede6ezzh5cgde2gx84m8dt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN