ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Video Effects Generator

v1.0.0

add video clips into effects-enhanced videos with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. TikTok creators use it for adding visual effe...

0· 13·0 current·0 all-time
by@mhogan2013-9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with remote video rendering and the single required credential (NEMO_TOKEN) is appropriate for a cloud API. However, the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) that suggests the skill expects to read user configuration files — this was not reflected in the registry-level 'required config paths' and is unexplained by the stated purpose.
Instruction Scope
Runtime instructions stay mostly within expected scope (create session, upload user video files, run SSE for edits, poll render status). They instruct using local file paths for multipart uploads (expected for uploading user videos). Two places expand scope: (1) the frontmatter's configPaths implies reading ~/.config/nemovideo/, and (2) X-Skill-Platform header value is to be auto-detected from an 'install path' which may require querying local environment. These file/path accesses are not justified in the description.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk.
Credentials
Only a single credential is declared (NEMO_TOKEN), which is appropriate for this API. But SKILL.md metadata references a config path that may contain sensitive tokens or configuration; the skill also suggests using an anonymous token if NEMO_TOKEN is absent. The additional implied access to ~/.config is not declared elsewhere and should be clarified.
Persistence & Privilege
always is false and the skill does not request persistent system privileges. Autonomous invocation is allowed (platform default) but not by itself a problem here.
What to consider before installing
This skill looks like a legitimate cloud video-effects integration, but two things deserve attention before installing: (1) the SKILL.md frontmatter mentions reading ~/.config/nemovideo/ — ask the author why the skill needs that config path and whether it will read or modify files there. (2) The skill asks for a NEMO_TOKEN (or will obtain an anonymous token via the service). Only provide tokens you trust; if you don't want to expose local config, prefer using the anonymous token path and avoid granting the skill access to your home config directory. Also confirm the API domain (mega-api-prod.nemovideo.ai) is the official service for this skill and review any privacy/data-retention policy before uploading sensitive videos.

Like a lobster shell, security has layers — review code before you run it.

latestvk9766qv5mz6pmsykf1ex3ncnws84sedb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments