Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Free Demo Video
v1.0.0Skip the learning curve of professional editing software. Describe what you want — trim the intro, add captions, and export a clean demo video — and get poli...
⭐ 0· 59·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is a cloud video-processing frontend and requires a single service token (NEMO_TOKEN), which is coherent with its stated purpose. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that is not declared in the registry metadata, which is an inconsistency: either the skill expects local config files (more access) or the registry record is incomplete.
Instruction Scope
Most instructions stay within the video-editing scope (upload, SSE-based edit commands, export polling). Two behaviors require attention: (1) the skill instructs the agent to automatically connect to an external service on first open and obtain an anonymous token without explicit per-use consent, and (2) it derives an X-Skill-Platform header by inspecting install paths (~/ .clawhub/, ~/.cursor/skills/), which implies the agent may read filesystem paths to detect install location. Both are reasonable for a networked cloud service but expand the skill's runtime actions beyond simple, on-demand calls.
Install Mechanism
Instruction-only skill with no install spec and no code files. This minimizes risk from downloaded/installed code; all risky behavior would be from runtime network calls described in SKILL.md.
Credentials
Only one credential (NEMO_TOKEN) is required, which is proportionate to a third-party cloud service. Caveats: the skill instructs generating and storing an anonymous token automatically (100 free credits, 7 days) — it's not explicit where the token/session_id will be persisted. Also, SKILL.md metadata includes a configPaths entry (~/.config/nemovideo/) not declared in the registry 'required config paths'; this mismatch should be clarified because it affects what local files the skill may read/write.
Persistence & Privilege
always:false and model invocation is default (allowed). The skill does not request permanent platform-wide privileges or changes to other skills. The main persistence concern is vague: it tells the agent to 'store' session_id and NEMO_TOKEN but doesn't specify storage location, retention, or encryption.
What to consider before installing
Before installing: (1) Confirm you trust the external service domain (mega-api-prod.nemovideo.ai) because the skill will automatically request an anonymous token and upload videos to that service. (2) Ask the author to clarify where NEMO_TOKEN and session_id are persisted (environment, local config file, or memory) and how long they remain; persistent storage could expose tokens. (3) Clarify the conflicting metadata: SKILL.md lists ~/.config/nemovideo/ as a config path but the registry showed none — if the skill reads or writes that directory, it has broader filesystem access. (4) Be aware that the skill may perform automatic background network calls when first opened and may derive headers by checking common install paths (this implies filesystem access). (5) Avoid sending sensitive or proprietary footage until you verify the service's privacy policy and token handling. If the developer can confirm where tokens/sessions are stored and remove or document the configPath requirement, the remaining issues are minor.Like a lobster shell, security has layers — review code before you run it.
latestvk97cmyjsv61k8v73xw0ns51qf984q47y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN